Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquoted Service Path

vendor:

Epson USB Display

by:

Hector Gerbacio

6.5

CVSS

MEDIUM

Unquoted Service Path

428

CWE

Product Name: Epson USB Display

Affected Version From: 1.6.0.0

Affected Version To: 1.6.0.0

Patch Exists: NO

Related CWE:

CPE: a:epson:epson_usb_display:1.6.0.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 8.1 con Bing

2021

Epson USB Display 1.6.0.0 – ‘EMP_UDSA’ Unquoted Service Path

The Epson USB Display 1.6.0.0 software is vulnerable to an unquoted service path vulnerability. An attacker with local access and low privileges could exploit this vulnerability to gain elevated privileges and execute arbitrary code.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of the Epson USB Display software. Additionally, ensure that all services have properly quoted service paths.

Source

Exploit-DB raw data:

# Exploit Title: Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquoted Service Path
# Discovery by: Hector Gerbacio
# Discovery Date: 2021-02-05
# Vendor Homepage: https://epson.com.mx/
# Tested Version: 1.6.0.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 8.1 con Bing

# Step to discover Unquoted Service Path:

C:\>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\WINDOWS\\" | findstr /i "EMP_UDSA" | findstr /i /v """
EMP_UDSA		EMP_UDSA		C:\Program Files (x86)\EPSON Projector\Epson USB Display V1.6\EMP_UDSA.exe			Auto

# Service info:

C:\>sc qc EMP_UDSA
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: EMP_UDSA
        TIPO               : 110  WIN32_OWN_PROCESS (interactive)
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\EPSON Projector\Epson USB Display V1.6\EMP_UDSA.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : EMP_UDSA
        DEPENDENCIAS       : RPCSS
        NOMBRE_INICIO_SERVICIO: LocalSystem