I have been playing with unquoted service paths/trusted paths the last few days and thought would write something up. Credit to Gavin Jones who introduced me to this issue, which to be honest I hadn’t heard of before and I normally only checked cacls and permissions of services. What is the issue? Basically it is related to the path binary in services that are unquoted and contain spaces. If we look at the below Skype service you will see the path is quoted – “c: program files (x86 ” which is the correct way.

You will come across some major vendors who do not enclose the path within quotes – c: program files (x86) – this would be bad. When they are unquoted and contain spaces within the path, this can be exploited. By placing a malicious file in c: named program.exe would run when the service starts. Typically services will be starting with the SYSTEM privilege.

For instance the below path.

CVE Vendors Products Updated CVSS 1 3, 2018-12-06 7.5 A flaw was found in ansible. Ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. 1 2, 2018-11-23 6.8 Untrusted search path vulnerability in the installer of Visual Studio Code allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 2018-11-20 6.8 DLL Search Order Hijacking vulnerability in Microsoft Windows Client in McAfee True Key (TK) before 5.1.165 allows local users to execute arbitrary code via specially crafted malware.

1 1 2018-11-20 6.8 The Whale browser installer 0.4.3.0 and earlier versions allows DLL hijacking. 1 6, and 3 more 2018-11-19 9.3 Untrusted search path vulnerability in the installers of multiple Canon IT Solutions Inc. Software programs (ESET Smart Security Premium, ESET Internet Security, ESET Smart Security, ESET NOD32 Antivirus, DESlock+ Pro, and CompuSec (all programs. 2, 4, and 1 more 2018-11-14 6.5 It was found that glusterfs server does not properly sanitize file paths in the 'trusted.io-stats-dump' extended attribute which is used by the 'debug/io-stats' translator. Attacker can use this flaw to create files and execute arbitrary code. 1 1 2018-11-13 6.8 Untrusted search path vulnerability in installer of ChatWork Desktop App for Windows 2.3.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 1 1 2018-11-08 6.8 Adobe Creative Cloud Desktop Application before 4.5.5.342 (installer) has an insecure library loading (dll hijacking) vulnerability.

Successful exploitation could lead to privilege escalation. 1 1 2018-11-06 6.8 Untrusted search path vulnerability in The installer of Digital Paper App version 1.4.0.16050 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 1 1 2018-10-31 9.3 elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or ATSECURE) program, which allows local users to gain privileges via a Trojan horse library in. 1 6, and 3 more 2018-10-30 6.8 Untrusted search path vulnerability in Multiple Yayoi 17 Series products (Yayoi Kaikei 17 Series Ver.23.1.1 and earlier, Yayoi Aoiro Shinkoku 17 Ver.23.1.1 and earlier, Yayoi Kyuuyo 17 Ver.20.1.4 and earlier, Yayoi Kyuuyo Keisan 17 Ver.20.1.4. 1 6, and 3 more 2018-10-30 6.8 Untrusted search path vulnerability in Multiple Yayoi 17 Series products (Yayoi Kaikei 17 Series Ver.23.1.1 and earlier, Yayoi Aoiro Shinkoku 17 Ver.23.1.1 and earlier, Yayoi Kyuuyo 17 Ver.20.1.4 and earlier, Yayoi Kyuuyo Keisan 17 Ver.20.1.4. 1 1 2018-10-12 4.6 Untrusted search path vulnerability in Microsoft Auto Updater for Mac allows local users to gain privileges via a Trojan horse executable file, aka 'Microsoft (MAU) Office Elevation of Privilege Vulnerability.' 1 1 2018-10-09 4.4 Multiple untrusted search path vulnerabilities in Putty beta 0.67 allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) UxTheme.dll or (2) ntmarta.dll file in the current working directory.

1 5, and 2 more 2018-10-09 4.4 Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 through 6.0, VMware Workstation Pro 12.1.x before 12.1.1, VMware Workstation Player 12.1.x before 12.1.1, and VMware Fusion. 1 1 2018-10-09 6.8 Untrusted search path vulnerability in Snort 2.9.7.0-WIN32 allows remote attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse tcapi.dll that is located in the same folder on a remote file share as a pcap file.

Untrusted Search Path Vulnerability In Microsoft Auto Updater For Mac Windows 10

1 1 2018-10-09 6.8 Untrusted search path vulnerability in F-Secure Online Scanner allows remote attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse DLL that is located in the same folder as F-SecureOnlineScanner.exe. 1 2, 2018-10-04 9.3 Untrusted search path vulnerability in RW-4040 tool to verify execution environment for Windows 7 version 1.2.0.0 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 1 2, 2018-10-03 9.3 Untrusted search path vulnerability in RW-4040 driver installer for Windows 7 version 2.27 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. 1 3, 2018-10-03 9.3 Untrusted search path vulnerability in RW-5100 tool to verify execution environment for Windows 7 version 1.1.0.0 and RW-5100 tool to verify execution environment for Windows 8.1 version 1.2.0.0 allows an attacker to gain privileges via a Trojan.