Login Sign Up

CVE-2020-24567

7.8 HIGH

📋 TL;DR

CVE-2020-24567 is a privilege escalation vulnerability in voidtools Everything search software. Attackers can place a malicious urlmon.dll file in the installation directory to execute arbitrary code with elevated privileges. This primarily affects systems where low-privileged users have write access to the Everything installation directory.

💻 Affected Systems

Products:
  • voidtools Everything
Versions: All versions before 1.4.1 Beta Nightly 2020-08-18
Operating Systems: Windows
Default Config Vulnerable: ✅ No
Notes: Vulnerability only exists if low-privileged users can write to the Everything installation directory, which is not the default configuration on most systems.

📦 What is this software?

Everything by Voidtools

View all CVEs affecting Everything →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise where an attacker gains SYSTEM/administrator privileges, enabling complete control over the affected system, data theft, and lateral movement.

🟠

Likely Case

Local privilege escalation allowing a standard user to gain administrative privileges on the system where Everything is installed.

🟢

If Mitigated

No impact if proper access controls prevent low-privileged users from writing to the Everything installation directory.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.
🏢 Internal Only: MEDIUM - Significant risk in environments where users have local access to systems with vulnerable Everything installations and permissive directory permissions.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access and ability to write to the installation directory. The technique involves DLL hijacking which is well-understood and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1 Beta Nightly 2020-08-18 and later

Vendor Advisory: https://www.voidtools.com/forum/viewtopic.php?p=32509#p32509

Restart Required: Yes

Instructions:

1. Download latest version from voidtools.com. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure clean state.

🔧 Temporary Workarounds

Restrict installation directory permissions

windows

Remove write permissions for low-privileged users from the Everything installation directory

icacls "C:\Program Files\Everything" /deny Users:(OI)(CI)W
icacls "C:\Program Files (x86)\Everything" /deny Users:(OI)(CI)W

Run Everything with standard user privileges

windows

Configure Everything to run without administrative privileges to limit impact

🧯 If You Can't Patch

  • Remove write permissions for all non-administrative users from the Everything installation directory
  • Uninstall Everything from systems where it's not essential for operations

🔍 How to Verify

Check if Vulnerable:

Check Everything version via Help → About. If version is earlier than 1.4.1 Beta Nightly 2020-08-18, system is vulnerable if low-privileged users can write to installation directory.

Check Version:

"C:\Program Files\Everything\Everything.exe" -version

Verify Fix Applied:

Verify version is 1.4.1 Beta Nightly 2020-08-18 or later in Help → About. Check installation directory permissions to ensure only administrators have write access.

📡 Detection & Monitoring

Log Indicators:

  • File creation events for urlmon.dll in Everything installation directory
  • Process creation events for Everything.exe with unexpected parent processes

Network Indicators:

  • Unusual outbound connections from Everything.exe process

SIEM Query:

EventID=11 OR EventID=4688 | where (TargetFilename contains "Everything\\urlmon.dll" OR NewProcessName contains "Everything.exe")

📊 Metadata

CVE ID: CVE-2020-24567
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: August 21, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON