hipersayanX
commented
3 weeks ago I really don't understand what are you pointing, all paths are quoted, or I'm missing something? :confused: Can you point me the wrong line?
Closed leonardobg closed 2 weeks ago
hipersayanX
commented
3 weeks ago I really don't understand what are you pointing, all paths are quoted, or I'm missing something? :confused: Can you point me the wrong line?
leonardobg
commented
3 weeks ago If you run on CMD the command sc qc AkVCamAssistant you will see that the binary path name is unquoted. Your code should ensure that when the service is installed on Windows it will enquote the binary path name correctly, otherwise it may be used by attackers to escalate privileges.
For reference: https://juggernaut-sec.com/unquoted-service-paths/
hipersayanX
commented
2 weeks ago Ok, I more or less understand the problem. One way of fixing it is installing the service in path without spaces on it's name. The other way, if I understand well, I must prefix and postfix with quotes the fileName, right? I would imagine that is something that Microsoft API would handle internally.
leonardobg
commented
2 weeks ago Yes, both fixes would work, but i would suggest that you use the second one since its a better security practice.
hipersayanX
commented
2 weeks ago Fixed with 9.1.3.
hipersayanX
commented
2 weeks ago Also, thanks! If you found other bugs don't hesitate to report them.
C:\Windows\System32>sc qc AkVCamAssistant [SC] QueryServiceConfig ÊXITO
NOME_DO_SERVIÇO: AkVCamAssistant TIPO : 10 WIN32_OWN_PROCESS TIPO_DE_INÍCIO : 2 AUTO_START CONTROLE_DE_ERRO : 1 NORMAL NOME_DO_CAMINHO_BINÁRIO : C:\Program Files\AkVirtualCamera\x64\AkVCamAssistant.exe GRUPO_DE_ORDEM_DE_CARREG. : MARCA : 0 NOME_PARA_EXIBIÇÃO : Webcamoid virtual camera service DEPENDÊNCIAS : NOME_DO_INÍCIO_DO_SERVIÇO : LocalSystem
This may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate privileges.