Microsoft Windows Unquoted Service Path Enumeration
high Nessus Plugin ID 63155
Language:
New! Plugin Severity Now Using CVSS v3
The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Synopsis
The remote Windows host has at least one service installed that uses an unquoted service path.Description
The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.Note that this is a generic test that will flag any application affected by the described vulnerability.
Solution
Ensure that any services that contain a space in the path enclose the path in quotes.See Also
http://www.nessus.org/u?84a4cc1c
http://cwe.mitre.org/data/definitions/428.html
Plugin Details
Severity: High
ID: 63155
File Name: smb_enum_unquoted_service_paths.nasl
Version: 1.22
Type: local
Agent: windows
Family: Windows
Published: 12/5/2012
Updated: 6/12/2020
Dependencies: smb_enum_services_params.nasl, symantec_encryption_desktop_sym13-010.nasl, symantec_enterprise_security_manager_sym12-020.nasl, symantec_wsa_sym15-004.nasl
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Medium
Base Score: 6.9
Temporal Score: 5.4
Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C
Temporal Vector: E:POC/RL:OF/RC:C
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 7
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: E:P/RL:O/RC:C
Vulnerability Information
Required KB Items: SMB/Services/Enumerated
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Publication Date: 9/15/2012
Exploitable With
Metasploit (Windows Service Trusted Path Privilege Escalation)
Reference Information
ICSA: 14-058-01
EDB-ID: 34037