Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path

vendor:

Configuration Tool

by:

Brian Rodriguez

5.5

CVSS

MEDIUM

Unquoted Service Path

428

CWE

Product Name: Configuration Tool

Affected Version From: 1.6.53

Affected Version To: 1.6.53

Patch Exists: NO

Related CWE:

CPE: a:oki:configuration_tool:1.6.53

Metasploit:

Other Scripts:

Platforms Tested: Windows 8.1 Pro 64 bits

2021

Configuration Tool 1.6.53 – ‘OpLclSrv’ Unquoted Service Path

The Configuration Tool version 1.6.53 is vulnerable to an unquoted service path vulnerability. The 'OpLclSrv' service has an unquoted service path, which can allow an attacker to escalate privileges and execute arbitrary code with elevated privileges.

Mitigation:

To mitigate this vulnerability, the vendor should update the software to use quoted service paths that include the full path to the executable.

Source

Exploit-DB raw data:

# Exploit Title: Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 07-03-2021
# Vendor Homepage: https://www.oki.com
# Software Links: https://www.oki.com/mx/printing/support/drivers-and-utilities/?id=46226801&tab=drivers-and-utilities&productCategory=monochrome&sku=62442301&os=ab4&lang=ac6
# Tested Version: 1.6.53
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 8.1 Pro 64 bits

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
OKI Local Port Manager OpLclSrv C:\Program
Files\Okidata\Common\extend3\portmgrsrv.exe               Auto

C:\>sc qc OpLclSrv [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO:
OpLclSrv TIPO: 10 WIN32_OWN_PROCESS TIPO_INICIO: 2 AUTO_START
CONTROL_ERROR: 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program
Files\Okidata\Common\extend3\portmgrsrv.exe GRUPO_ORDEN_CARGA: ETIQUETA: 0
NOMBRE_MOSTRAR: OKI Local Port Manager DEPENDENCIAS:
NOMBRE_INICIO_SERVICIO: LocalSystem