CVE-2023-24671
📋 TL;DR
CVE-2023-24671 is an unquoted service path vulnerability in VX Search that allows attackers with local access to escalate privileges by placing a malicious executable in a writable directory along the service path. This affects users running VX Search v13.8 and v14.7 on Windows systems where the service runs with elevated privileges.
💻 Affected Systems
- VX Search
📦 What is this software?
Vx Search by Vxsearch
Vx Search by Vxsearch
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM/administrator privileges, allowing complete control over the affected Windows system.
Likely Case
Local privilege escalation from a lower-privileged user account to SYSTEM/administrator level, enabling installation of malware, data theft, or persistence mechanisms.
If Mitigated
Limited impact if proper access controls prevent unauthorized users from writing to directories along the service path.
🎯 Exploit Status
Exploitation requires local access and ability to write to a directory along the unquoted service path. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version beyond v14.7
Vendor Advisory: Not publicly documented in vendor advisory
Restart Required: Yes
Instructions:
1. Download latest VX Search version from official vendor site. 2. Install update. 3. Restart the VX Search service or reboot system.
🔧 Temporary Workarounds
Quote Service Path
windowsModify the service path to include quotes around the executable path
sc config "VXSearchService" binPath= "\"C:\Program Files\VX Search\vxsearch.exe\""
sc stop "VXSearchService"
sc start "VXSearchService"
Restrict Directory Permissions
windowsRemove write permissions for non-administrative users on directories along the service path
icacls "C:\Program Files\VX Search" /deny Users:(OI)(CI)W
icacls "C:\Program Files" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Run VX Search service with minimal necessary privileges instead of SYSTEM/administrator
- Implement strict access controls to prevent unauthorized users from writing to directories along the service path
🔍 How to Verify
Check if Vulnerable:
Check if VX Search service path is unquoted: sc qc "VXSearchService" | findstr BINARY_PATH_NAME. If path contains spaces and no quotes, system is vulnerable.Check Version:
Check VX Search version in program interface or registry: reg query "HKLM\SOFTWARE\VX Search" /v VersionVerify Fix Applied:
Verify service path is quoted: sc qc "VXSearchService" | findstr BINARY_PATH_NAME. Path should be enclosed in quotes. Also verify directory permissions prevent unauthorized writes.📡 Detection & Monitoring
Log Indicators:
- Unexpected service restarts
- Creation of executable files in VX Search directories by non-administrative users
- Process creation events for unexpected executables from VX Search directories
Network Indicators:
- Unusual outbound connections from VX Search service
- Beaconing behavior from system running VX Search
SIEM Query:
Process Creation where (ImagePath contains "VX Search" and not ImagePath contains '"') OR (Process Creation where ParentImage contains "vxsearch.exe" and not User contains "SYSTEM")🔗 References
- https://medium.com/%40SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
- https://packetstormsecurity.com/files/171300/VX-Search-13.8-Unquoted-Service-Path.html
- https://medium.com/%40SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
- https://packetstormsecurity.com/files/171300/VX-Search-13.8-Unquoted-Service-Path.html
