CVE-2022-36415
📋 TL;DR
A DLL hijacking vulnerability in Scooter Beyond Compare's uninstaller allows local attackers to execute arbitrary code with SYSTEM privileges. When the uninstaller runs, it loads DLLs from the Windows Temp folder, enabling privilege escalation if malicious DLLs are placed there. This affects standard users who can write to C:\Windows\Temp\ and trigger the uninstaller.
💻 Affected Systems
- Scooter Beyond Compare
📦 What is this software?
Beyond Compare by Scootersoftware
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM-level compromise of the Windows system, allowing complete control, data theft, persistence mechanisms, and lateral movement.
Likely Case
Local privilege escalation from standard user to SYSTEM, enabling installation of malware, disabling security controls, or accessing protected resources.
If Mitigated
Limited impact if proper access controls prevent standard users from writing to C:\Windows\Temp\ or if the uninstaller is never executed.
🎯 Exploit Status
Exploitation requires local access as a standard user with write permissions to C:\Windows\Temp\ and ability to execute the uninstaller. DLL hijacking techniques are well-documented and relatively simple to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.3 and later
Vendor Advisory: https://www.scootersoftware.com/support.php?zz=kb_security_2022-02
Restart Required: No
Instructions:
1. Download Beyond Compare version 4.4.3 or later from the official website. 2. Run the installer to upgrade. 3. The update will automatically replace the vulnerable uninstaller component.
🔧 Temporary Workarounds
Restrict write access to Windows Temp folder
windowsModify permissions on C:\Windows\Temp\ to prevent standard users from writing files
icacls C:\Windows\Temp\ /deny Users:(OI)(CI)W
Remove vulnerable uninstaller
windowsDelete or rename the vulnerable uninstaller executable to prevent execution
del "C:\Program Files\Beyond Compare 4\unins000.exe"
ren "C:\Program Files\Beyond Compare 4\unins000.exe" unins000.exe.bak
🧯 If You Can't Patch
- Implement strict access controls on C:\Windows\Temp\ to prevent standard users from writing files
- Monitor for suspicious DLL files in C:\Windows\Temp\ and for execution of the Beyond Compare uninstaller
🔍 How to Verify
Check if Vulnerable:
Check Beyond Compare version: if installed via EXE installer and version is between 1.8a and 4.4.2 inclusive, the system is vulnerable.Check Version:
Open Beyond Compare and go to Help → About, or check the file properties of BCompare.exeVerify Fix Applied:
Verify Beyond Compare version is 4.4.3 or later. Check that the uninstaller file (unins000.exe) has been updated.📡 Detection & Monitoring
Log Indicators:
- Process creation events for unins000.exe with SYSTEM privileges
- File creation events for DLL files in C:\Windows\Temp\ by standard users
Network Indicators:
- No network indicators - this is a local privilege escalation vulnerability
SIEM Query:
Process Creation: (Image='*\unins000.exe' AND IntegrityLevel='System') OR File Creation: (TargetFilename='C:\Windows\Temp\*.dll' AND SubjectUserName NOT IN ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE'))