EG Free AntiVirus version 2020 suffers from an unquoted service path vulnerability that can lead to privilege escalation.
f5afeadbe9a6dd42729251f44605027c495f8ca53f5077f1ef0566b30d207ffd# Exploit Title: EG Free AntiVirus v2020 - Unquoted Service Path (Local Privilege Escalation)
# Date: 24/01/2022
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: http://www.egsoftweb.in/index.aspx
# Software Link: http://www.egsoftweb.in/OurProduct_Readmore.aspx?id=6
# Version: 2020
# Tested: Windows 10 (x64)
# CVE: CVE-2021-46439
-------------
Description:
-------------
EG Free AntiVirus (v2020) installs a service (WinSEGAV AutoConfig) with
an unquoted service path. Since this service is running as SYSTEM, it
creates a local privilege escalation vulnerability. To properly exploit
this vulnerability, a local attacker must insert an executable in the
path of the service. Rebooting the system or restarting the service
will run the malicious executable with elevated privileges.
------------------
Proof of Concept:
------------------
C:\Users\shah>sc qc “WinSEGAV AutoConfig”
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WinSEGAV AutoConfig
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\EGSoftWeb\EG Anti
Virus\egavser.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Service For EG Free AntiVirus
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Best regards,
Shahrukh Iqbal Mirza.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed