Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path

vendor:

Easy-Hide-IP

by:

Rene Cortes S

5.5

CVSS

MEDIUM

Unquoted Service Path

428

CWE

Product Name: Easy-Hide-IP

Affected Version From: 5.0.0.3

Affected Version To: 5.0.0.3

Patch Exists: NO

Related CWE:

CPE: a:easy-hide-ip:easy-hide-ip:5.0.0.3

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 Professional Service Pack 1

2019

Easy-Hide-IP 5.0.0.3 – ‘EasyRedirect’ Unquoted Service Path

The Easy-Hide-IP 5.0.0.3 software on Windows 7 Professional Service Pack 1 is vulnerable to an unquoted service path vulnerability. This vulnerability could allow an attacker to escalate privileges by placing a malicious executable in the search path of the service.

Mitigation:

To mitigate this vulnerability, the vendor should update the software to use a quoted service path. Users can also manually update the service path to include quotes.

Source

Exploit-DB raw data:

# Exploit Title: Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path
# Date: 2019-11-22
# Exploit Author: Rene Cortes S
# Vendor Homepage: https://easy-hide-ip.com
# Software Link: https://easy-hide-ip.com
# Version: 5.0.0.3
# Tested on: Windows 7 Professional Service Pack 1

##########################################################################################################################

Step to discover the unquoted Service:

C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

EasyRedirect		EasyRedirect	C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe	Auto


##############################################################################################################################################

Service info:

C:\Users\user>sc qc EasyRedirect
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: EasyRedirect
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe
        GRUPO_ORDEN_CARGA  : 
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : EasyRedirect
        DEPENDENCIAS       : RPCSS
        NOMBRE_INICIO_SERVICIO: LocalSystem

#########################################################################################################################