CVE-2024-27518
📋 TL;DR
This vulnerability allows unprivileged attackers to escalate privileges by restoring a crafted DLL file into the SUPERAntiSpyware installation directory. Attackers can gain SYSTEM-level privileges on affected systems. Users of SUPERAntiSpyware Professional X versions 10.0.1262 and 10.0.1264 are affected.
💻 Affected Systems
- SUPERAntiSpyware Professional X
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper access controls prevent unprivileged users from writing to Program Files directories and if endpoint protection blocks DLL hijacking attempts.
🎯 Exploit Status
Exploit requires local user access and involves DLL hijacking through the restore functionality. Proof-of-concept code is publicly available on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.superantispyware.com/
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Restrict write permissions to SUPERAntiSpyware directory
windowsRemove write permissions for non-administrative users to the C:\Program Files\SUPERAntiSpyware folder
icacls "C:\Program Files\SUPERAntiSpyware" /deny Users:(OI)(CI)W
Uninstall vulnerable versions
windowsRemove SUPERAntiSpyware Professional X versions 10.0.1262 and 10.0.1264 from affected systems
Control Panel > Programs > Uninstall a program > Select SUPERAntiSpyware > Uninstall
🧯 If You Can't Patch
- Implement strict access controls to prevent unprivileged users from writing to Program Files directories
- Monitor for DLL file creation/modification in the SUPERAntiSpyware directory using file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check SUPERAntiSpyware version in Help > About. If version is 10.0.1262 or 10.0.1264, system is vulnerable.Check Version:
Check Help > About in SUPERAntiSpyware GUI or examine registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallVerify Fix Applied:
Verify SUPERAntiSpyware version is no longer 10.0.1262 or 10.0.1264, or confirm write permissions are denied to non-admin users in the installation directory.📡 Detection & Monitoring
Log Indicators:
- Windows Security logs showing file creation/modification in C:\Program Files\SUPERAntiSpyware by non-admin users
- Process creation logs showing suspicious DLL loading from SUPERAntiSpyware directory
Network Indicators:
- No specific network indicators as this is a local privilege escalation
SIEM Query:
EventID=4663 AND ObjectName LIKE '%SUPERAntiSpyware%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')