ProtonVPN 1.26.0 - Unquoted Service Path

vendor:

ProtonVPN

by:

gemreda

7.5

CVSS

HIGH

Unquoted Service Path

428

CWE

Product Name: ProtonVPN

Affected Version From: 1.26.0

Affected Version To: 1.26.0

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows

2022

ProtonVPN 1.26.0 – Unquoted Service Path

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:Program.exe" to be run by a privileged program making use of WinExec.

Mitigation:

Ensure that all file paths are quoted to avoid potential privilege escalation

Source

Exploit-DB raw data:

# Exploit Title: ProtonVPN 1.26.0 - Unquoted Service Path
# Date: 22/03/2022
# Exploit Author: gemreda (@gemredax)
# Vendor Homepage: https://protonvpn.com/
# Software Link: https://protonvpn.com/
# Version: 1.26.0
# Tested: Windows 10 x64
# Contact: gemredax@pm.me

PS C:\Users\Emre> sc.exe qc "ProtonVPN Wireguard"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ProtonVPN Wireguard
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.WireGuardService.exe C:\ProgramData\ProtonVPN\WireGuard\ProtonVPN.conf
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ProtonVPN WireGuard
        DEPENDENCIES       : Nsi
                           : TcpIp
        SERVICE_START_NAME : LocalSystem


#Exploit:

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.