CVE-2023-47454
📋 TL;DR
This CVE describes an untrusted search path vulnerability in NetEase CloudMusic for Windows that allows local users to escalate privileges by placing a malicious urlmon.dll file in the current working directory. Attackers can execute arbitrary code with higher privileges than intended. Only users running the vulnerable version on Windows are affected.
💻 Affected Systems
- NetEase CloudMusic
📦 What is this software?
Cloudmusic by Netease
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM-level privileges, enabling complete system compromise, data theft, malware installation, and persistence mechanisms.
Likely Case
Local user with limited privileges gains administrative rights, potentially installing software, modifying system settings, or accessing other user data.
If Mitigated
With proper user privilege separation and application sandboxing, impact is limited to the user's own context with minimal system-wide effects.
🎯 Exploit Status
Exploit requires local access and ability to place malicious DLL file; privilege escalation occurs when vulnerable application loads the DLL.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not publicly available
Restart Required: No
Instructions:
1. Check NetEase CloudMusic official website for security updates. 2. Update to latest version if patch is available. 3. If no patch, consider workarounds or alternative software.
🔧 Temporary Workarounds
Restrict DLL loading from current directory
windowsConfigure Windows to prevent DLL loading from current working directory using CWDIllegalInDllSearch registry setting.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v CWDIllegalInDllSearch /t REG_DWORD /d 0xFFFFFFFF /f
Remove vulnerable version
windowsUninstall NetEase CloudMusic 2.10.4 and use alternative music software until patch is available.
Control Panel > Programs > Uninstall a program > Select NetEase CloudMusic > Uninstall
🧯 If You Can't Patch
- Restrict user permissions to prevent placing files in application directories
- Monitor for suspicious DLL files in application working directories
🔍 How to Verify
Check if Vulnerable:
Check NetEase CloudMusic version in application settings or Control Panel > Programs; vulnerable if version is 2.10.4.Check Version:
wmic product where name="NetEase CloudMusic" get versionVerify Fix Applied:
Verify version is updated beyond 2.10.4; check registry setting CWDIllegalInDllSearch is set to 0xFFFFFFFF.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual locations
- Application crashes or unexpected privilege changes
Network Indicators:
- Not applicable - local exploit only
SIEM Query:
EventID=7 OR EventID=11 AND ProcessName="CloudMusic.exe" AND ImageLoaded contains "urlmon.dll" AND ImageLoaded contains current directory path