Microsoft Windows Unquoted Service Path Privilege Escalation

Posted by deepcore on April 17, 2020 – 4:33 pm

This Metasploit module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:program fileshello.exe; The Windows API will try to interpret this as two possible paths: C:program.exe, and C:program fileshello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« [local] Code Blocks 16.01 – Buffer Overflow (SEH) UNICODE Nexus Repository Manager 3.21.1-01 Remote Code Execution »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Microsoft Windows Unquoted Service Path Privilege Escalation

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL