BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path

vendor:

BartVPN

by:

ZwX

7.8

CVSS

HIGH

Unquoted Service Path

428

CWE

Product Name: BartVPN

Affected Version From: 1.2.2002

Affected Version To: 1.2.2002

Patch Exists: NO

Related CWE:

CPE: a:bartvpn:bartvpn:1.2.2

Metasploit:

Other Scripts:

Platforms Tested: Windows 7

2019

BartVPN 1.2.2 – ‘BartVPNService’ Unquoted Service Path

The BartVPNService in BartVPN 1.2.2 has an unquoted service path vulnerability. This allows an attacker with local system privileges to potentially execute arbitrary code with elevated privileges by placing a malicious executable file in the root of the system drive.

Mitigation:

To mitigate this vulnerability, the vendor should update the service path to include quotes around the executable file path.

Source

Exploit-DB raw data:

#Exploit Title: BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-11-18
#Vendor Homepage : https://www.filehorse.com/
#Link Software : https://www.filehorse.com/download-bartvpn/
#Tested on OS: Windows 7


#Analyze PoC :
==============


C:\Users\ZwX>sc qc BartVPNService
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: BartVPNService
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Users\ZwX\AppData\Local\BartVPN\BartVPNService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : BartVPNService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem