Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths

vendor:

Vembu BDR

by:

Mohammed Alshehri

7.8

CVSS

HIGH

Unquoted Service Paths

CWE

Product Name: Vembu BDR

Affected Version From: 4.2.0.1 U1

Affected Version To: 4.2.0.1 U1

Patch Exists: YES

Related CWE: N/A

CPE: a:vembu:vembu_bdr:4.2.0.1_u1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763

2020

Vembu BDR 4.2.0.1 U1 – Multiple Unquoted Service Paths

Vembu BDR 4.2.0.1 U1 is vulnerable to Unquoted Service Paths. This vulnerability allows an attacker to gain elevated privileges on the system. The vulnerable services are hsflowd, VembuBDR360Agent and VembuOffice365Agent. All of these services have their binary path set to an unquoted path, which allows an attacker to inject malicious code into the service.

Mitigation:

Ensure that all services have their binary path set to a quoted path.

Source

Exploit-DB raw data:

# Exploit Title: Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths
# Date: 2020-11-6
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: https://www.vembu.com/
# Software Link: https://sg-build-release.s3.amazonaws.com/BDRSuite/V420/4202020051312/Vembu_BDR_Backup_Server_Setup_4_2_0_1_U1_GA.exe
# Version: Version 4.2.0.1 U1
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763


# Service info:
C:\Users\m507>sc qc "hsflowd"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: hsflowd
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\hsflowd.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Host_sFlow_Agent
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\m507>sc qc "VembuBDR360Agent"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: VembuBDR360Agent
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\VembuBDR360Agent.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : VembuBDR360Agent
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\m507>sc qc "VembuOffice365Agent"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: VembuOffice365Agent
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuOffice365Agent\bin\VembuOffice365Agent.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : VembuOffice365Agent
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\m507>


# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.