CVE-2024-30376
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on systems running vulnerable versions of Famatech Advanced IP Scanner. Attackers who already have low-privileged code execution can exploit an insecure Qt plugin loading mechanism to gain administrator privileges and execute arbitrary code. Only users of Advanced IP Scanner are affected.
💻 Affected Systems
- Famatech Advanced IP Scanner
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, enabling installation of persistent malware, data theft, and complete control over the affected system.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional tools, and move laterally within the network.
If Mitigated
Limited impact if proper application whitelisting and privilege separation are implemented, though the vulnerability could still be leveraged in targeted attacks.
🎯 Exploit Status
Exploitation requires local access and ability to place malicious Qt plugins in unsecured directories. The vulnerability is well-documented in the ZDI advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version available from vendor (check Famatech website)
Vendor Advisory: https://www.advanced-ip-scanner.com/
Restart Required: Yes
Instructions:
1. Download latest version from official Famatech website. 2. Uninstall current version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Restrict Qt plugin directory permissions
windowsSet strict permissions on Qt plugin directories to prevent unauthorized DLL injection
icacls "C:\Program Files\Advanced IP Scanner\plugins" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(DE,DC)"
Remove unnecessary Qt plugins
windowsDelete non-essential Qt plugin files to reduce attack surface
Remove all .dll files from Qt plugin directories except those required for application functionality
🧯 If You Can't Patch
- Uninstall Advanced IP Scanner completely if not essential for operations
- Implement application control policies to block execution of Advanced IP Scanner
🔍 How to Verify
Check if Vulnerable:
Check Advanced IP Scanner version and compare against latest release from vendor websiteCheck Version:
Check Help > About in Advanced IP Scanner GUI or examine file properties of the executableVerify Fix Applied:
Verify installation of latest version and check that Qt plugin directories have proper permissions📡 Detection & Monitoring
Log Indicators:
- Unusual DLL loading from non-standard locations
- Process creation with elevated privileges from Advanced IP Scanner context
Network Indicators:
- No direct network indicators as this is local exploitation
SIEM Query:
Process Creation where (Image contains 'advanced_ip_scanner' OR ParentImage contains 'advanced_ip_scanner') AND IntegrityLevel='System'