CVE-2023-31468
📋 TL;DR
This vulnerability allows local attackers to escalate privileges to SYSTEM by exploiting weak folder permissions in Inosoft VisiWin 7 software. It affects users running Inosoft VisiWin 7 through version 2022-2.1 on Windows systems, enabling unauthorized code execution.
💻 Affected Systems
- Inosoft VisiWin 7
📦 What is this software?
Visiwin 7 by Inosoft
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full SYSTEM-level control over the system, allowing them to install malware, steal data, or disrupt operations.
Likely Case
Local privilege escalation leading to persistence, lateral movement, or data exfiltration within the network.
If Mitigated
Limited to local user access with no privilege escalation if permissions are properly secured.
🎯 Exploit Status
Exploitation requires local access and involves inserting a Trojan horse file into the vulnerable folder.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024-1
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-03
Restart Required: Yes
Instructions:
1. Download and install Inosoft VisiWin 7 version 2024-1 or later from the official vendor. 2. Restart the system to apply changes.
🔧 Temporary Workarounds
Restrict Folder Permissions
windowsModify permissions on the vulnerable folder to remove Everyone access and restrict to authorized users only.
icacls "%PROGRAMFILES(X86)%\INOSOFT GmbH" /remove Everyone
icacls "%PROGRAMFILES(X86)%\INOSOFT GmbH" /grant Administrators:F
🧯 If You Can't Patch
- Monitor the '%PROGRAMFILES(X86)%\INOSOFT GmbH' folder for unauthorized file changes using file integrity monitoring tools.
- Limit local user access to systems running Inosoft VisiWin 7 and enforce principle of least privilege.
🔍 How to Verify
Check if Vulnerable:
Check folder permissions: run 'icacls "%PROGRAMFILES(X86)%\INOSOFT GmbH"' and look for 'Everyone' in the output.Check Version:
Check the software version in the application's about or help menu, or inspect installation logs.Verify Fix Applied:
After patching, verify the installed version is 2024-1 or later and that folder permissions no longer include Everyone.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs (e.g., Security logs) showing file creation or modification in the '%PROGRAMFILES(X86)%\INOSOFT GmbH' folder by non-admin users.
Network Indicators:
- Unusual outbound connections from the system post-exploitation, such as to command-and-control servers.
SIEM Query:
Example: 'source="Windows Security" AND event_id=4663 AND object_name="*INOSOFT GmbH*" AND user!="SYSTEM" AND user!="Administrator"'🔗 References
- http://packetstormsecurity.com/files/174268/Inosoft-VisiWin-7-2022-2.1-Insecure-Permissions-Privilege-Escalation.html
- https://cwe.mitre.org/data/definitions/276.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-03
- https://www.exploit-db.com/exploits/51682
- https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- https://www.inosoft.com/en/news-details/news/neue-visiwin-version-2024-1
- http://packetstormsecurity.com/files/174268/Inosoft-VisiWin-7-2022-2.1-Insecure-Permissions-Privilege-Escalation.html
- https://cwe.mitre.org/data/definitions/276.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-03
- https://www.exploit-db.com/exploits/51682
- https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- https://www.inosoft.com/en/news-details/news/neue-visiwin-version-2024-1
