Hi all, new here so sorry if it's wrong to post bugs in this section (My bad) :)
I noticed that during an installation of MBAM premium trial, the installation process creates a service that will be ran as NT/SYSTEM but doesn't quote it's process path. This is a Unquoted service path vulnerability that can elevate a user with write access to the C:\ drive to NT/SYSTEM. Reference for this vector: https://www.commonexploits.com/unquoted-service-paths/.
I've attached a video of me demonstrating the vulnerability.
To exploit this vulnerability, an attacker would have to:
1. Copy a file (Malware / backdoor shell) to C:\Program.exe
2. Run the MBAM installer
3. The file will be ran with SYSTEM privileges. (Bad) and the installer with fail (Also potentially a DOS vulnerability in MBAM installer that malware can leverage to prevent MBAM from being installed)
How does this work?
Well, Windows services are simply processes executed with SYSTEM privileges but a flaw in how Windows interprets the binpath (process path to execute) in that if the path isn't quoted, Windows will interpret a SPACE to mean the end. For example if c:\program files\mbam.exe is not quoted, Windows will first try to execute "c:\program.exe" since it does not recognise a space.
How can this be fixed?
Simple! You just quote your service path: string a = @" "c:\program files\mbam.exe" " instead of string a = @" c:\program files\mbam.exe ".
Regards,
Natsumi
2020-08-03 15-03-54 MBAM.mp4