IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path

vendor:

IPTInstaller

by:

SamAlucard

8.8

CVSS

HIGH

Unquoted Service Path

N/A

CWE

Product Name: IPTInstaller

Affected Version From: IPTInstaller 4.0.9

Affected Version To: IPTInstaller 4.0.9

Patch Exists: No

Related CWE: N/A

CPE: a:htc:iptinstaller:4.0.9

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 Pro

2020

IPTInstaller 4.0.9 – ‘PassThru Service’ Unquoted Service Path

An unquoted service path vulnerability exists in IPTInstaller 4.0.9, which could allow an authenticated local attacker to gain elevated privileges on the system. The vulnerability is due to the application not properly quoting the path to the executable of the 'PassThru Service'. An attacker can exploit this vulnerability by placing a malicious executable in the same folder as the vulnerable service and then start the service. This will result in the malicious executable being executed with SYSTEM privileges.

Mitigation:

Ensure that all services have a fully qualified path to the executable.

Source

Exploit-DB raw data:

#Exploit Title: IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-08
#Vendor : HTC
#Version : IPTInstaller 4.0.9
#Vendor Homepage :  https://www.htc.com/latam/
#Tested on OS: Windows 7 Pro

#Analyze PoC :
==============

C:\Users\DSAZ230>sc qc "PassThru Service"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: PassThru Service
        TIPO               : 10
[image: PassThruserv.jpg]
 WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\HTC\Internet
Pass-Through\PassThruSvr.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Internet Pass-Through Service
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem