DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path

vendor:

DHCP Turbo 4

by:

boku

7.8

CVSS

HIGH

Unquoted Service Path

CWE

Product Name: DHCP Turbo 4

Affected Version From: 4.6.1298

Affected Version To: 4.6.1298

Patch Exists: NO

Related CWE: N/A

CPE: a:weird_solutions:dhcp_turbo_4:4.6.1298

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 (32-bit)

2020

DHCP Turbo 4.61298 – ‘DHCP Turbo 4’ Unquoted Service Path

DHCP Turbo 4.61298 is vulnerable to Unquoted Service Path vulnerability. This vulnerability allows an attacker to gain elevated privileges on the system by exploiting the service path of the application. The service path of the application is not quoted which allows an attacker to inject malicious code in the service path and gain elevated privileges.

Mitigation:

Ensure that all service paths are quoted and that the service is running with the least privileges required.

Source

Exploit-DB raw data:

Exploit Title: DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: https://www.weird-solutions.com
Software Link: https://www.weird-solutions.com/download/products/dhcptv4_retail_IA32.exe
Version: 4.6.1298
Tested On: Windows 10 (32-bit)

C:\Users\user>sc qc "DHCP Turbo 4"
SERVICE_NAME: DHCP Turbo 4
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\DHCP Turbo 4\dhcpt.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DHCP Turbo 4
        DEPENDENCIES       : Nsi
                           : Afd
                           : NetBT
                           : Tcpip
        SERVICE_START_NAME : LocalSystem

C:\Users\user>wmic service get name, pathname, startmode | findstr "Turbo"
DisplayName         PathName                                      StartMode 
DHCP Turbo 4        C:\Program Files\DHCP Turbo 4\dhcpt.exe       Auto