CVE-2019-13382
📋 TL;DR
CVE-2019-13382 is a local privilege escalation vulnerability in SnagIT and TechSmith Relay Classic Recorder on Windows. It allows attackers to gain elevated privileges by manipulating presentation files and symbolic links in specific directories. Users of SnagIT 2019.1.2 and earlier versions (from 12.4.1 onward) and TechSmith Relay Classic Recorder prior to 5.2.1 on Windows are affected.
💻 Affected Systems
- SnagIT
- TechSmith Relay Classic Recorder
📦 What is this software?
Snagit by Techsmith
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access can achieve SYSTEM-level privileges, enabling complete system compromise, data theft, and persistence.
Likely Case
Local attackers can escalate from standard user to administrator privileges, allowing installation of malware, credential theft, and lateral movement.
If Mitigated
With proper user privilege separation and application control, impact is limited to the user's own context.
🎯 Exploit Status
Exploit requires local access but is straightforward to execute. Detailed technical analysis and proof-of-concept are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SnagIT 2019.1.3 or later; TechSmith Relay Classic Recorder 5.2.1 or later
Vendor Advisory: https://support.techsmith.com/hc/en-us/articles/115006435067-Snagit-Windows-Version-History
Restart Required: Yes
Instructions:
1. Download latest version from TechSmith website. 2. Run installer with administrative privileges. 3. Restart system if prompted. 4. Verify installation of patched version.
🔧 Temporary Workarounds
Restrict directory permissions
windowsRemove write permissions for non-administrative users on vulnerable directories to prevent file placement.
icacls "%PROGRAMDATA%\TechSmith\TechSmith Recorder\QueuedPresentations" /deny Users:(OI)(CI)W
icacls "%PROGRAMDATA%\TechSmith\TechSmith Recorder\InvalidPresentations" /deny Users:(OI)(CI)W
Disable symbolic link creation
windowsPrevent creation of symbolic links by non-administrative users.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "ProtectionMode" -Value 1
🧯 If You Can't Patch
- Uninstall vulnerable software if not required for business operations.
- Implement application control to prevent execution of vulnerable versions.
🔍 How to Verify
Check if Vulnerable:
Check SnagIT version: Open SnagIT > Help > About. If version is between 12.4.1 and 2019.1.2 inclusive, system is vulnerable. For TechSmith Relay Classic Recorder, check version in installed programs list.Check Version:
wmic product where name="SnagIT" get versionVerify Fix Applied:
Verify installed version is SnagIT 2019.1.3+ or TechSmith Relay Classic Recorder 5.2.1+. Test by attempting to create symbolic links in the vulnerable directories as non-admin user (should fail).📡 Detection & Monitoring
Log Indicators:
- File creation events in %PROGRAMDATA%\TechSmith\TechSmith Recorder\QueuedPresentations or InvalidPresentations by non-admin users
- Symbolic link creation events in these directories
- Process execution with unexpected privilege escalation
Network Indicators:
- No network indicators - this is a local attack
SIEM Query:
EventID=4663 AND ObjectName LIKE "%TechSmith Recorder%" AND Accesses="WriteData" AND SubjectUserName NOT IN ("SYSTEM", "Administrator")🔗 References
- https://posts.specterops.io/cve-2019-13382-local-privilege-escalation-in-snagit-abe5f31c349
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
- https://support.techsmith.com/hc/en-us/articles/115006435067-Snagit-Windows-Version-History
- https://posts.specterops.io/cve-2019-13382-local-privilege-escalation-in-snagit-abe5f31c349
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
- https://support.techsmith.com/hc/en-us/articles/115006435067-Snagit-Windows-Version-History
