EG Free AntiVirus 2020 Privilege Escalation / Unquoted Service Path

2022.03.31
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264

# Exploit Title: EG Free AntiVirus v2020 - Unquoted Service Path (Local Privilege Escalation) # Date: 24/01/2022 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: http://www.egsoftweb.in/index.aspx # Software Link: http://www.egsoftweb.in/OurProduct_Readmore.aspx?id=6 # Version: 2020 # Tested: Windows 10 (x64) # CVE: CVE-2021-46439 ------------- Description: ------------- EG Free AntiVirus (v2020) installs a service (WinSEGAV AutoConfig) with an unquoted service path. Since this service is running as SYSTEM, it creates a local privilege escalation vulnerability. To properly exploit this vulnerability, a local attacker must insert an executable in the path of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. ------------------ Proof of Concept: ------------------ C:\Users\shah>sc qc “WinSEGAV AutoConfig” [SC] QueryServiceConfig SUCCESS SERVICE_NAME: WinSEGAV AutoConfig TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\EGSoftWeb\EG Anti Virus\egavser.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Service For EG Free AntiVirus DEPENDENCIES : SERVICE_START_NAME : LocalSystem Best regards, Shahrukh Iqbal Mirza.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top