Links
Certiport testing software is used to administer certification tests for Microsoft products in a secure testing environment. The software includes monitoring and auto-grading of tests as well as a practice test functionality which will be covered in more depth below. Testing centers are created by local schools, colleges, and vocational institutions. Because of the severity of the exploit and the impact it can have on these organizations I decided to work towards responsible disclosure with Pearson, Inc. the owner and creator of the Certiport testing software.
The testing software must be run as a local administrator to be able to hook into Microsoft applications to determine the user's progress on a test. This produces some inherent risks. Upon completing a practice test the testing software asks you if you would like to view your test results locally. This is done by creating a PDF and opening it in Internet Explorer or Microsoft Edge. This browser process is not a normal process though. It is a child process of the testing software that has inherited all of the parent process' permissions. In Windows, opening the save dialog as a privileged child process gives local administrator access to all files and programs on the computer. This would allow anyone accessing this save dialog to run any system applications as an administrator, this includes Powershell, Command Prompt, and other more privileged tools.
This is a local privilege escalation exploit and as such any computers running the Certiport testing software would provide a foothold on a network from which attackers could enable remote administration, create accounts, access network shares, and install malware.
To mitigate this, testing facilities, proctors, and exam takers should be closely monitored for abnormal activity during practice tests.
The responsible disclosure process with Pearson, Inc. was not as smooth as it could have been. I hope to see them improve the process in the future.