Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path

vendor:

Softros LAN Messenger

by:

Victor Mondragón

7.8

CVSS

HIGH

Unquoted Service Path

426

CWE

Product Name: Softros LAN Messenger

Affected Version From: 9.6.4

Affected Version To: 9.6.4

Patch Exists: NO

Related CWE: N/A

CPE: a:softros_systems:softros_lan_messenger

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 Pro 64 bits

2021

Softros LAN Messenger 9.6.4 – ‘SoftrosSpellChecker’ Unquoted Service Path

Softros LAN Messenger 9.6.4 is vulnerable to an unquoted service path vulnerability. This vulnerability can be exploited by an attacker to gain elevated privileges on the system. The vulnerability exists due to the SoftrosSpellChecker service not being properly quoted. An attacker can exploit this vulnerability by creating a malicious executable with the same name as the service and placing it in the same directory as the service. When the service is started, the malicious executable will be executed with SYSTEM privileges.

Mitigation:

The vendor should ensure that all services are properly quoted to prevent attackers from exploiting this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path
# Discovery by: Victor Mondragón
# Discovery Date: 23-02-2021
# Vendor Homepage: https://www.softros.com/
# Software Links : https://download.softros.com/SoftrosLANMessengerSetup.exe
# Tested Version: 9.6.4
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Pro 64 bits

# Step to discover Unquoted Service Path: 
 

C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
Softros Spell Checker           SoftrosSpellChecker     C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe      Auto

C:\>sc qc SoftrosSpellChecker
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: SoftrosSpellChecker
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 0   IGNORE
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe
        GRUPO_ORDEN_CARGA  : System Reserved
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Softros Spell Checker
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem