Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path

vendor:

Dup Scout

by:

Brian Rodriguez

7,8

CVSS

HIGH

Unquoted Service Path

426

CWE

Product Name: Dup Scout

Affected Version From: 13.5.28

Affected Version To: 13.5.28

Patch Exists: NO

Related CWE: N/A

CPE: a:dupscout:dup_scout:13.5.28

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 10 Enterprise 64 bits

2021

Dup Scout 13.5.28 – ‘Multiple’ Unquoted Service Path

Dup Scout 13.5.28 is vulnerable to Unquoted Service Path vulnerability. This vulnerability allows an attacker to gain elevated privileges on the system by exploiting the service path of the application. The service path of the application is not quoted which allows an attacker to inject malicious code in the service path and gain elevated privileges.

Mitigation:

Ensure that all service paths are quoted and that the service is running with the least privileges.

Source

Exploit-DB raw data:

# Exploit Title: Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 16-06-2021
# Vendor Homepage: https://www.dupscout.com
# Software Links:
# https://www.dupscout.com/setups_x64/dupscoutsrv_setup_v13.5.28_x64.exe
# https://www.dupscout.com/setups_x64/dupscoutent_setup_v13.5.28_x64.exe
# Tested Version: 13.5.28
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise 64 bits

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """

Dup Scout Server   Dup Scout Server  C:\Program Files\Dup Scout
Server\bin\dupscts.exe    Auto
Dup Scout Enterprise   Dup Scout Enterprise  C:\Program Files\Dup Scout
Enterprise\bin\dupscts.exe    Auto

C:\>sc qc "Dup Scout Server"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: Dup Scout Server
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 0   IGNORE
        NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout
Server\bin\dupscts.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Dup Scout Server
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

C:\>sc qc "Dup Scout Enterprise"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: Dup Scout Enterprise
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 0   IGNORE
        NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout
Enterprise\bin\dupscts.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Dup Scout Enterprise
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem