CVE-2023-5964: 1E-Exchange Vulnerability Allowing Arbitrary Code Execution via End-User Interaction Product Pack

A critical vulnerability has been discovered in the 1E-Exchange-DisplayMessage instruction, a part of the End-User Interaction product pack on the 1E Exchange platform. This vulnerability allows specially crafted input to perform arbitrary code execution with SYSTEM permissions, posing a significant security risk. This issue only affects 1E Exchange operating on Windows clients.

Description

The vulnerability arises from the inadequate validation of the Caption and Message parameters in the 1E-Exchange-DisplayMessage instruction. Attackers can exploit this security flaw by crafting a malicious input that leads to arbitrary code execution with SYSTEM-level permissions.

As an example, consider this code snippet

1E-Exchange-DisplayMessage("Malicious Caption", "Malicious Message");

This seemingly innocent instruction can be exploited as the Caption and Message parameters are not properly validated, allowing an attacker to execute arbitrary code with elevated permissions.

Original references can be found on the vendor's website and the description of CVE-2023-5964

- Vendor's Security Bulletin
- CVE-2023-5964 Details

Exploit Details

The exploit takes advantage of the insufficient validation of Caption and Message parameters to execute arbitrary code with elevated SYSTEM permissions. It is important to note that this vulnerability only affects Windows clients using 1E Exchange with the End-User Interaction product pack.

To address this vulnerability, follow these steps

1. Delete the instruction "Show dialogue with caption %Caption% and message %Message%" from the list of instructions in the Settings UI.
2. Download the updated End-User Interaction product pack, which includes the new 1E-Exchange-ShowNotification instruction.
3. Replace the old instruction with the new 1E-Exchange-ShowNotification instruction. The new instruction should be displayed as "Show %Type% type notification with header %Header% and message %Message%" with a version number of 7.1 or above.

By implementing these remediation steps, the security risk posed by CVE-2023-5964 can be mitigated, protecting your Windows clients using 1E Exchange from potential arbitrary code execution attacks.

Timeline

Published on: 11/06/2023 13:15:10 UTC
Last modified on: 11/21/2023 18:15:09 UTC