Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path

vendor:

Pingzapper

by:

Brian Rodriguez

7.8

CVSS

HIGH

Unquoted Service Path

426

CWE

Product Name: Pingzapper

Affected Version From: 2.3.1

Affected Version To: 2.3.1

Patch Exists: NO

Related CWE: N/A

CPE: a:pingzapper:pingzapper:2.3.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 8.1 Pro 64 bits

2021

Pingzapper 2.3.1 – ‘PingzapperSvc’ Unquoted Service Path

Pingzapper 2.3.1 is vulnerable to an unquoted service path vulnerability. This vulnerability can be exploited by a local attacker to gain elevated privileges on the system. The vulnerability exists due to the service path of the PingzapperSvc service not being properly quoted. An attacker can exploit this vulnerability by placing malicious files in the same directory as the service executable and then executing them with elevated privileges.

Mitigation:

Ensure that all service paths are properly quoted. Additionally, ensure that all services are running with the least privileges necessary.

Source

Exploit-DB raw data:

# Exploit Title: Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 07-03-2021
# Vendor Homepage: https://pingzapper.com
# Software Links: https://pingzapper.com/download
# Tested Version: 2.3.1
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 8.1 Pro 64 bits

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Pingzapper Service      PingzapperSvc            C:\Program Files
(x86)\Pingzapper\PZService.exe               Auto

C:\>sc qc PingzapperSvc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO:
PingzapperSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\Pingzapper\PZService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0
NOMBRE_MOSTRAR : Pingzapper Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO:
LocalSystem