CVE-2021-41065
📋 TL;DR
This vulnerability in Listary allows attackers to create a malicious named pipe that Listary automatically accesses when a privileged user opens a session. By exploiting this, attackers can duplicate the victim's token and impersonate them, potentially gaining elevated privileges. This affects Listary users on certain Windows versions before Microsoft patched the underlying Windows issue.
💻 Affected Systems
- Listary
📦 What is this software?
Listary by Bopsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain SYSTEM-level privileges on the compromised host, enabling complete system takeover, data theft, and lateral movement across the network.
Likely Case
Attackers gain administrative privileges on the local machine, allowing installation of malware, credential theft, and persistence mechanisms.
If Mitigated
With proper Windows updates and Listary patches, the attack surface is eliminated, though residual risk exists if either component remains unpatched.
🎯 Exploit Status
Exploitation requires ability to create named pipes on the target system and wait for privileged Listary sessions. Public exploit details are available in the referenced Medium article.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Listary version after 6 (check latest version from vendor)
Vendor Advisory: https://www.listary.com/download
Restart Required: Yes
Instructions:
1. Update Listary to the latest version from the official website. 2. Ensure Windows is updated to a version where Microsoft has patched the underlying named pipe security issue (later Windows 10 builds). 3. Restart the system after updates.
🔧 Temporary Workarounds
Disable Listary Elevated Privileges
windowsRun Listary with standard user privileges instead of elevated/admin privileges to reduce attack impact
Right-click Listary shortcut → Properties → Compatibility → Run this program as an administrator (UNCHECK)
Restrict Named Pipe Creation
windowsUse Windows security policies to restrict creation of named pipes to trusted users only
Use Group Policy or local security policy to configure named pipe permissions
🧯 If You Can't Patch
- Run Listary with standard user privileges only, not as administrator
- Ensure Windows is updated to a version where Microsoft has patched the underlying named pipe security vulnerability
🔍 How to Verify
Check if Vulnerable:
Check Listary version (Help → About) - if version is 6 or earlier, you are vulnerable. Also check Windows version to ensure it's not a vulnerable Windows build.Check Version:
In Listary: Help → About, or check program propertiesVerify Fix Applied:
Verify Listary is updated to version after 6 and Windows is updated to a patched version (later Windows 10 builds). Test by attempting to create the malicious named pipe - it should not be accessible by Listary.📡 Detection & Monitoring
Log Indicators:
- Windows Security logs showing unexpected named pipe creation (\\.\pipe\Listary.listaryService)
- Process creation logs showing Listary accessing unexpected named pipes
Network Indicators:
- Local named pipe creation and access patterns
SIEM Query:
Windows Security Event ID 4656 (handle creation) or 4663 (object access) with object name containing '\Device\NamedPipe\Listary.listaryService'