Problem:
Portability normally runs in an elevated state which means it has the ability to restore files and registry keys outside of the user's profile path or outside of HKEY_CURRENT_USER. This alone is not a concern, but combine this ability with a Portability Ruleset that saves/restores a custom path outside of the user's profile and a user could modify their own Portability archive to restore things in places they shouldn't otherwise have access to as a normal, non-admin user.
*None of the out-of-the-box template configurations in ProfileUnity contain vulnerable rules described above - they would need to have been created manually to be at-risk.
Solution:
First - avoid creating Portability Rulesets for non-admin users that handle paths outside of the user's profile.
Second - to add additional security, you can set the Portability module to run unelevated which would prevent the user from exploiting a existing vulnerable ruleset. No longer will non-admin users be able to save/restore files outside of their profile unless they already have access to a particular path based on a pre-existing ACL.
- Download the latest client with this feature here.
- Unzip the client-tools into a new folder, open the client.net.zip file and edit Lwl.ProfileUnity.Client.exe.config
- Find the setting "PortabilityDeelevate" and set it to True. Save the file and make sure the client.net.zip gets updated with the new, changed config.
- See the README for additional information on deploying the new client-tools.
Product: ProfileUnity-FlexApp
Product Versions Affected: All currently supported versions
Product Versions Containing Mitigation: Client 6.8.4.7916 or higher