Headline
CVE-2022-33035: Vuln/XLpd-Unquoted-Service-Path.md at main · ycdxsb/Vuln
XLPD v7.0.0094 and below contains an unquoted service path vulnerability which allows local users to launch processes with elevated privileges.
XLpd7 Unquoted Service Path****Vuln Info
Software name:Xldp 7
Software version:Xlpd-7.0.0094 (latest version)
Vuln Type:Unquoted Service Path
Vuln Influence:Arbitrary code execute
Vuln Analyse
The service path of xlpd7 in register is unquoted.
So when service manager started, it will search C:\Program.exe at first.
- if C:\Program.exe exists, it will execute C:\Program.exe
- if C:\Program.exe not exists,it will looking for XlpdCore.exe with C:\Program Files(x86)\NetSarang\Xlpd7\XlpdCore.exe
So an attacker with low privilege can put Program.exe under C:\ and reboot the windows, then it will execute arbitrary code under SYSTEM context.
Proof Of Concept
The Program.exe will add a user named attack.
Poc Video
Official Confirm