LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path

vendor:

LogonExpert

by:

Victor Mondragón

7.8

CVSS

HIGH

Unquoted Service Path

428

CWE

Product Name: LogonExpert

Affected Version From: 8.1

Affected Version To: 8.1

Patch Exists: NO

Related CWE:

CPE: a:softros_systems:logonexpert:8.1

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 Service Pack 1 x64

2021

LogonExpert 8.1 – ‘LogonExpertSvc’ Unquoted Service Path

The LogonExpert 8.1 software installed on Windows 7 Service Pack 1 x64 is vulnerable to an unquoted service path vulnerability. The LogonExpertSvc service has an unquoted service path, which can allow an attacker to escalate privileges and execute arbitrary code with elevated privileges. The vulnerability exists due to the service path not being enclosed in double quotes. By placing a malicious executable in a specific location, an attacker can take advantage of the unquoted service path vulnerability to execute arbitrary code during the service startup. This can lead to a complete compromise of the affected system.

Mitigation:

The vendor has not released a patch for this vulnerability. To mitigate the risk, it is recommended to update to the latest version of the software when available. Additionally, users can manually enclose the service path in double quotes to prevent exploitation of the unquoted service path vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path
# Discovery by: Victor Mondragón
# Discovery Date: 23-02-2021
# Vendor Homepage: https://www.softros.com/
# Software Links : https://download.logonexpert.com/LogonExpertSetup64.msi
# Tested Version: 8.1
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 7 Service Pack 1 x64
# Step to discover Unquoted Service Path: 
 

C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
LogonExpert Service             LogonExpertSvc          C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe             Auto


C:\>sc qc LogonExpertSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: LogonExpertSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe
        LOAD_ORDER_GROUP   : LogonExpertGroup
        TAG                : 0
        DISPLAY_NAME       : LogonExpert Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem