Vulnerabilities > CVE-2014-5455 - Unquoted Search Path OR Element vulnerability in multiple products

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
openvpn
privatetunnel
CWE-428
nessus
exploit available
NVD
Published: 2014-08-25
Updated: 2016-11-14

Summary

Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder. <a href="http://cwe.mitre.org/data/definitions/428.html" target="_blank">CWE-428: Unquoted Search Path or Element</a>

Vulnerable Configurations

Part Description Count
Application
Openvpn
1
Application
Privatetunnel
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging/Manipulating Configuration File Search Paths
    This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Exploit-Db

descriptionOpenVPN Private Tunnel Core Service - Unquoted Service Path Elevation Of Privilege. CVE-2014-5455. Local exploit for win32 platform
fileexploits/windows_x86/local/34037.txt
idEDB-ID:34037
last seen2016-02-03
modified2014-07-12
platformwindows_x86
port
published2014-07-12
reporterLiquidWorm
sourcehttps://www.exploit-db.com/download/34037/
titleOpenVPN Private Tunnel Core Service - Unquoted Service Path Elevation Of Privilege
typelocal

Nessus

NASL familyWindows
NASL idSMB_ENUM_UNQUOTED_SERVICE_PATHS.NASL
descriptionThe remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service. Note that this is a generic test that will flag any application affected by the described vulnerability.
last seen2020-06-01
modified2020-06-02
plugin id63155
published2012-12-05
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/63155
titleMicrosoft Windows Unquoted Service Path Enumeration
code
#
# (C) Tenable Network Security, Inc
#

include("compat.inc");

if (description)
{
  script_id(63155);
  script_version("1.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2013-1609", "CVE-2014-0759", "CVE-2014-5455");
  script_bugtraq_id(58591, 58617, 65873, 68520);
  script_xref(name:"ICSA", value:"14-058-01");
  script_xref(name:"EDB-ID", value:"34037");

  script_name(english:"Microsoft Windows Unquoted Service Path Enumeration");
  script_summary(english:"Generic check for unquoted service paths.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has at least one service installed that uses
an unquoted service path.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host has at least one service installed that uses
an unquoted service path, which contains at least one whitespace. A
local attacker can gain elevated privileges by inserting an executable
file in the path of the affected service.

Note that this is a generic test that will flag any application
affected by the described vulnerability.");
  # https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?84a4cc1c");
  script_set_attribute(attribute:"see_also", value:"http://cwe.mitre.org/data/definitions/428.html");
  script_set_attribute(attribute:"see_also", value:"https://www.commonexploits.com/unquoted-service-paths/");
  # http://www.ryanandjeffshow.com/blog/2013/04/11/powershell-fixing-unquoted-service-paths-complete/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4aa6acbc");
  script_set_attribute(attribute:"solution", value:
"Ensure that any services that contain a space in the path enclose the
path in quotes.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Windows Service Trusted Path Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/09/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/12/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.");

  script_dependencies("smb_enum_services_params.nasl", "symantec_encryption_desktop_sym13-010.nasl", "symantec_enterprise_security_manager_sym12-020.nasl", "symantec_wsa_sym15-004.nasl");
  script_require_keys("SMB/Services/Enumerated");

  exit(0);
}

include("audit.inc");
include("misc_func.inc");
include("global_settings.inc");
include("smb_func.inc");

function extract_service_path()
{
  local_var item, idx;

  item = _FCT_ANON_ARGS[0];
  # If the first character is a '"', the path is enclosed, so just use
  # that to extract the path
  if (item =~ '^"')
  {
    item = ereg_replace(pattern:'^("[^"]+").*', string:item, replace:"\1");
  }
  else
  {
    # First extract any extra paths from the arguments
    item = ereg_replace(pattern:'^(\\s+)?("?([A-Za-z]:|\\\\)\\\\[^:]+).*', string:item, replace:"\2");

    # Service arguments use '-' or '/' characters for flags
    # First look for '/' flags
    if ('/' >< item)
    {
      idx = stridx(item, '/');
      item = item - substr(item, idx);
    }

    # Now look for ' -' flags
    if (' -' >< item)
    {
      idx = stridx(item, ' -');
      item = item - substr(item, idx);
    }

    # Some arguments don't use a flag
    item = ereg_replace(pattern:'^(([A-Za-z]:|\\\\)\\\\.*\\\\[^\\.]+\\.[^\\s]+).*', string:item, replace:"\1");
  }
  return item;
}

slist = get_kb_list_or_exit('SMB/svc/*/startuptype');
services = make_list();

# Unless we are paranoid, only focus on the services that
# aren't disabled
if (report_paranoia < 2)
{
  foreach service (keys(slist))
  {
    if (slist[service] == 2 || slist[service] == 3)
    {
      services = make_list(services, service - 'SMB/svc/' - '/startuptype');
    }
  }
}
else
{
  foreach service (keys(slist))
  {
    services = make_list(services, service - 'SMB/svc/' - '/startuptype');
  }
}

# Ignore services that we are explicitly checking in other
# plugins
items = get_kb_list('SMB/Unquoted/*');
unquoted = make_array();
if (!isnull(items))
{
  foreach key (keys(items))
  {
    key = key - 'SMB/Unquoted/';
    unquoted[key] = TRUE;
  }
}
# Loop over the services and check the executable path
path = '';
info = '';
for (i=0; i < max_index(services); i++)
{
  # We have a separate check for the PGP RDD Service
  service = services[i];
  if (unquoted[service]) continue;

  item = get_kb_item('SMB/svc/'+services[i]+'/path');
  if (isnull(item)) continue;
  # Parse the service to get the path
  path = extract_service_path(item);

  # If there is a space in the path and it isn't enclosed in '"'
  # there is a problem
  if (' ' >< path && path !~ '^".*"$')
  {
    # Make sure the whitespace isn't only at the end of the path
    if (path !~ '^[^\\s]+\\s+$')
    {
      info += '  ' + services[i] + ' : ' + path + '\n';
    }
  }
}

if (info)
{
  port = get_kb_item('SMB/transport');
  if (report_verbosity > 0)
  {
    if (max_index(split(info, sep:'\n')) > 1) s = 's ';
    else s = ' ';

    report =
      '\nNessus found the following service' + s + 'with an untrusted path : ' +
      '\n' +
      info +
      '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');

References