CVE-2023-27791

Vulnerability

CVE-2023-27793 describes a weakness in IXP Data EasyInstall version 6.6.148840 where the local system Administrator password is persisted using base64 encoding rather than a dedicated, strong encryption mechanism. The encoded password is stored in a configuration file accessible under the default application directory. No authentication or special privileges are required to read this file once an attacker has local access to the machine. [1]

Exploitation

Exploitation requires local file system access to the EasyInstall installation directory. An attacker with standard user privileges (or who has gained initial code execution on the host, for example via CVE-2023-27792 – insecure local filesystem ACLs) can read the configuration file containing the base64-encoded string. The attacker then decodes it using a simple base64 decoder, revealing the cleartext local Administrator password. No user interaction or network access is needed beyond obtaining local read access to the target file. [1]

Impact

Successful exploitation grants the attacker the local Windows Administrator password. This can be used to elevate privileges from a standard user to full administrative control over the affected workstation or server, enabling lateral movement, credential theft, and persistence within the domain environment. [1]

Mitigation

The vendor has not released a public fix for this specific encoding issue as of October 2023. A workaround is to restrict file system permissions on the configuration file manually, though this may impair normal operation. Upgrading to a patched version should be pursued when available. [1]