Local Privilege Escalation in Certiport Testing Software

Introduction

Certiport testing software is used to administer certification tests for Microsoft products in a secure testing environment. The software includes monitoring and auto-grading of tests as well as a practice test functionality which will be covered in more depth below. This exploit is not new and I just got around to assigning a CVE once I realized the impact it could have on testing centers. Testing centers are created by local schools, colleges, and vocational institutions. Because of the severity of the exploit and the impact it can have on these organizations I decided to push through a CVE. This was no easy task as the security personnel at Pearson Inc. (the vendor of the software) did not know what a CVE was until I informed them.

Affected Versions

Ver. < Certiport Console 8
Ver. < Certiport IQSystem 7

Explanation

The testing software must be run as a local administrator to be able to hook into Microsoft applications to determine the user's progress on a test. This produces some inherent risks. Upon completing a practice test the testing software asks you if you would like to view your test results locally. This is done by creating a PDF and opening it in Internet Explorer or Microsoft Edge. This browser process is not a normal process though. It is a child process of the testing software that has inherited all of the parent process' permissions. Since most all browsers have a save functionality for web pages and PDFs opening the save dialog gives you local administrator access to all files and programs on the computer. This would allow an attacker or cheater to run any system applications as an administrator this includes Powershell and Command Prompt.

Mitigations

This is a local privilege escalation exploit and as such any computers running the Certiport testing software would provide a foothold on a network from which attackers could enable remote administration, create accounts, access network shares, and install malware.

To mitigate this testing facilities, proctors, and exam takers should be closely monitored for abnormal activity during practice tests.

Timeline

June 4, 2018: Exploit identified and determined to be of high risk.
June 6, 2018: Contacted vendor. No response.
June 12, 2018: Called vendor. Explained exploit.
June 13, 2018: Email response providing patch date.
June 26, 2018: Software patched.
June 30, 2018: CVE reserved.
July 29, 2018: Exploit details written and published.
August 3, 2018: CVE published CVE-2018-12989.

Closing Statement

Certiport as well as Pearson Inc. do not seem to have a firm grasp on how their software affects the security of school systems and colleges around the world. Upon asking for permission to publish the CVE and this article I was asked "What is a CVE?". Keep in mind the person I was talking to was the head of their security staff for software and networks. In the end it is up to you the customer to protect yourself when dealing with these companies.