ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path

vendor:

ESET Security

by:

Milad Karimi (Ex3ptionaL)

7.5

CVSS

HIGH

Unquoted Service Path

CWE

Product Name: ESET Security

Affected Version From: 16.0.26.0

Affected Version To: 16.0.26.0

Patch Exists: NO

Related CWE:

CPE: a:eset:eset_security:16.0.26.0

Metasploit:

Other Scripts:

Platforms Tested: Microsoft Windows 11 pro x64

2023

ESET Service 16.0.26.0 – ‘Service ekrn’ Unquoted Service Path

A vulnerability in ESET Service 16.0.26.0 allows an attacker to gain elevated privileges by exploiting an unquoted service path. The vulnerability exists in the 'ekrn' service, which is installed with ESET Security. By exploiting the vulnerability, an attacker can gain SYSTEM privileges on the affected system.

Mitigation:

Ensure that all services have a fully qualified path to the executable, and that the path is enclosed in quotes.

Source

Exploit-DB raw data:

# Exploit Title: ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Exploit Date: 2023-04-05
# Vendor : https://www.eset.com
# Version : 16.0.26.0
# Tested on OS: Microsoft Windows 11 pro x64

#PoC :
==============

C:\>sc qc ekrn
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ekrn
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"
        LOAD_ORDER_GROUP   : Base
        TAG                : 0
        DISPLAY_NAME       : ESET Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem