CVE-2023-34312
📋 TL;DR
This vulnerability in Tencent QQ and TIM messaging applications allows local attackers to achieve privilege escalation through a write-what-where condition. Attackers can write arbitrary data to arbitrary memory locations via unvalidated pointers in QQProtect components. Users of affected versions on Windows systems are vulnerable.
💻 Affected Systems
- Tencent QQ
- Tencent TIM
📦 What is this software?
Qq by Tencent
Tim by Tencent
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM/administrator privileges, enabling installation of persistent malware, credential theft, and lateral movement across networks.
Likely Case
Local privilege escalation from standard user to administrator/SYSTEM level, allowing attackers to bypass security controls and install malicious software.
If Mitigated
Limited impact if proper endpoint protection and least privilege principles are enforced, though local privilege escalation remains possible.
🎯 Exploit Status
Public proof-of-concept code exists on GitHub. Exploitation requires local access but is relatively straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: QQ 9.7.8.29040+, TIM 3.4.7.22085+
Vendor Advisory: https://security.tencent.com/
Restart Required: Yes
Instructions:
1. Open QQ/TIM application. 2. Navigate to Settings > About/Update. 3. Check for updates and install latest version. 4. Restart the application. 5. Verify version is above vulnerable threshold.
🔧 Temporary Workarounds
Disable QQProtect Service
windowsTemporarily disable the vulnerable QQProtect service to prevent exploitation
sc stop QQProtect
sc config QQProtect start= disabled
Remove Application Execution
windowsRestrict execution of QQ/TIM applications via application control policies
Using AppLocker or Windows Defender Application Control to block QQ.exe and TIM.exe
🧯 If You Can't Patch
- Implement strict least privilege policies to limit standard user capabilities
- Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check QQ version: Open QQ > Settings > About. Check TIM version: Open TIM > Settings > About. Compare against vulnerable versions.Check Version:
wmic product where "name like '%QQ%' or name like '%TIM%'" get name,versionVerify Fix Applied:
Verify installed version is QQ 9.7.8.29040+ or TIM 3.4.7.22085+. Check that QQProtect service is running updated version.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from QQProtect.exe
- Privilege escalation events in Windows Security logs
- Unexpected service starts/stops for QQProtect
Network Indicators:
- Local inter-process communication anomalies involving QQProtect components
SIEM Query:
EventID=4688 AND (NewProcessName LIKE '%QQProtect%' OR ParentProcessName LIKE '%QQProtect%') AND IntegrityLevel='System'