VeeVPN 1.6.1 - 'VeePNService' Unquoted Service Path

vendor:

VeeVPN

by:

Doğukan Orhan

6.1

CVSS

HIGH

Unquoted Service Path

428

CWE

Product Name: VeeVPN

Affected Version From: 1.6.2001

Affected Version To: 1.6.2001

Patch Exists: NO

Related CWE:

CPE: a:veepn:veepn:1.6.1

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 Pro x64

2024

VeeVPN 1.6.1 – ‘VeePNService’ Unquoted Service Path

The VeeVPN version 1.6.1 is vulnerable to an unquoted service path issue. By exploiting this vulnerability, an attacker could execute arbitrary code during system startup or reboot with elevated privileges.

Mitigation:

To mitigate this vulnerability, the vendor should quote the service path to prevent potential code execution during system startup. Users are advised to update to a patched version when available.

Source

Exploit-DB raw data:

# Exploit Title: VeeVPN 1.6.1 - 'VeePNService' Unquoted Service Path
# Date: 2024-12-27
# Exploit Author: Doğukan Orhan
# Vendor Homepage: https://veepn.com/
# Version: 1.6.1
# Tested on: Windows 10 Pro x64


# Step to discover Unquoted Service Path:

C:\Users\PC>wmic service where 'name like "%VeePNService%"' get name, displayname, pathname, startmode, startname

#Service Info

C:\Users\PC>sc qc VeePNService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: VeePNService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\VeePN\service\VeePNService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : VeePNService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

# Exploit:

This vulnerability could permit executing code during startup or reboot with the escalated privileges.