NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path

vendor:

NETGATE Data Backup

by:

ZwX

7.5

CVSS

HIGH

Unquoted Service Path

428

CWE

Product Name: NETGATE Data Backup

Affected Version From: 3.0.620

Affected Version To: 3.0.620

Patch Exists: NO

Related CWE:

CPE: netgate:data_backup:3.0.620

Metasploit:

Other Scripts:

Platforms Tested: Windows 7

2019

NETGATE Data Backup 3.0.620 – ‘NGDatBckpSrv’ Unquoted Service Path

The vulnerability exists in the 'NGDatBckpSrv' service of NETGATE Data Backup 3.0.620. The service has an unquoted service path, which could allow an attacker to gain elevated privileges and execute arbitrary code.

Mitigation:

To mitigate this vulnerability, the vendor should update the service configuration to include the full path in quotes.

Source

Exploit-DB raw data:

#Exploit Title: NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-12-04
#Vendor Homepage : http://www.netgate.sk/
#Link Software : http://www.netgate.sk/download/download.php?id=5
#Tested on OS: Windows 7


#Analyze PoC :
==============


C:\Users\ZwX>sc qc NGDatBckpSrv
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: NGDatBckpSrv
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\NETGATE\Data Backup\DataBackupSrv.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NETGATE Data Backup Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem