CVE-2024-9325
📋 TL;DR
This critical vulnerability in Intelbras InControl allows local attackers to execute arbitrary code through an unquoted search path in the watchdog service executable. It affects all Windows systems running InControl versions up to 2.21.56. Attackers can exploit this to gain elevated privileges on the local system.
💻 Affected Systems
- Intelbras InControl
📦 What is this software?
Incontrol Web by Intelbras
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM-level privileges, allowing installation of persistent malware, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation leading to administrative control of the affected system, enabling further attacks and persistence.
If Mitigated
Limited impact if proper endpoint protection and least privilege principles are enforced, though local execution could still occur.
🎯 Exploit Status
Exploitation requires local access to the system. The unquoted search path vulnerability is well-understood and typically easy to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.21.58
Vendor Advisory: https://backend.intelbras.com/sites/default/files/2024-10/Aviso%20de%20Seguran%C3%A7a%20-%20Incontrol%202.21.56%20e%202.21.57.pdf
Restart Required: Yes
Instructions:
1. Download the fixed version from the Intelbras download portal. 2. Close all InControl applications. 3. Run the installer for version 2.21.58. 4. Restart the system to ensure all services are updated.
🔧 Temporary Workarounds
Modify service path permissions
windowsRestrict write permissions to the C:\Program Files (x86)\Intelbras\Incontrol Cliente\incontrol_webcam\ directory to prevent malicious file placement.
icacls "C:\Program Files (x86)\Intelbras\Incontrol Cliente\incontrol_webcam" /deny Users:(OI)(CI)W
Quote service executable path
windowsManually modify the service configuration to use quoted paths in the service executable specification.
sc config "InControl Watchdog Service" binPath= "\"C:\Program Files (x86)\Intelbras\Incontrol Cliente\incontrol_webcam\incontrol-service-watchdog.exe\""
🧯 If You Can't Patch
- Remove or disable the InControl Watchdog Service if not essential for operations.
- Implement strict endpoint detection and response (EDR) rules to monitor for suspicious file creation in the vulnerable directory.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Intelbras InControl via Control Panel > Programs and Features, or check the file version of incontrol-service-watchdog.exe.Check Version:
wmic product where name="Intelbras InControl" get versionVerify Fix Applied:
Verify that version 2.21.58 is installed and that the service executable path is properly quoted in the service configuration.📡 Detection & Monitoring
Log Indicators:
- Unexpected service restarts of InControl Watchdog Service
- File creation events in C:\Program Files (x86)\Intelbras\Incontrol Cliente\incontrol_webcam\ with suspicious names
Network Indicators:
- Unusual outbound connections from the InControl service
SIEM Query:
EventID=4688 AND (NewProcessName LIKE '%incontrol-service-watchdog.exe%' OR NewProcessName LIKE '%incontrol_webcam%')🔗 References
- https://backend.intelbras.com/sites/default/files/2024-10/Aviso%20de%20Seguran%C3%A7a%20-%20Incontrol%202.21.56%20e%202.21.57.pdf
- https://download.cronos.intelbras.com.br/download/INCONTROL/INCONTROL-WEB/prod/INCONTROL-WEB-2.21.58-233dfd1ac1e2ca3eabb71c854005c78b.exe
- https://vuldb.com/?ctiid.278829
- https://vuldb.com/?id.278829
- https://vuldb.com/?submit.385397
