Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2023-33668 PoC — DigiExam 安全漏洞

Source
https://github.com/lodi-g/CVE-2023-33668
Associated Vulnerability
Title:DigiExam 安全漏洞 (CVE-2023-33668)
Description:DigiExam up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access PII and takeover accounts on shared computers.
Readme
# CVE-2023-33668

## Summary

DigiExam is a ~~surveillance~~ exam and proctoring software. The software is installed in schools' (or students') computers. When the student joins an exam, DigiExam will: ensure it's not running in a Virtual Machine, terminate all applications, fullscreen itself, and prevent the user from going anywhere else than the DigiExam window. 

It has been found that the security detections are weak and can be easily bypassed by simply replacing a file (owned by the user) in the file system. This has been confirmed to work in DigiExam v14.0.2 and not tested again since then (I passed my exam :)).

Vulnerability: DigiExam (an Electron application) "outsources" the virtual machine detection (along with most security features) to a native module called dx-sec. The lack of integrity check on the dx-sec module allows to replace the module by a patched version. The patch can essentially modify any features located within dx-sec, including virtual machine detection (and others, such as the whitelist of illegal processes, etc). 

## Technical details

Upon it's first launch, the DigiExam application will download native modules in `%localappdata%\DigiExam\app-14.0.2\resources\app.asar.unpacked\node_modules\%modulename%\build\Release\%modulename.node%`. These .node files are (as instructed by `file`) `PE32 executable (DLL) (GUI) Intel 80386, for MS Windows`. 

Opening the dx-sec file in Ghidra and searching for the string "Virtual Machine" gives plenty of results and leads to `FUN_10020370` - renamed `detect_virtual_machine` (which gives pretty interesting insights into what is being examined for VM detection).

![](./detect_virtual_machine.png)

`detect_virtual_machine` has one xref to `FUN_10007ab0` - renamed `detect_virtual_machine_node_handler` - which appears to be a library's entrypoint for Node stuff (constructor and destructor around our 'main' function `detect_virtual_machine`).

![](./detect_virtual_machine_node_handler.png)

`detect_virtual_machine` can be patched to return immediately. The right side of the screenshot is the patched version.

![](./diff.png)

This will bypass completely the VM detection logic.

## Further

As mentioned in the introduction, DigiExam is often installed in **shared** schools' computers. Instead of patching the VM detection logic, an attacker could leverage this to get code execution on any student's session as soon as they take an exam, allowing more destructive attacks on students' documents and informations. Persistence is until DigiExam gets updated.
File Snapshot

 [4.0K]  /data/pocs/ed245366450a65a90e64c923dcbeb435464cbbe2
├── [ 16M]  demo.mp4
├── [182K]  detect_virtual_machine_node_handler.png
├── [322K]  detect_virtual_machine.png
├── [141K]  diff.png
└── [2.5K]  README.md

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →