Exploit for Advanced Host Monitor 12.56 Unquoted Service Path CVE-2023-2417

Name: Exploit for Advanced Host Monitor 12.56 Unquoted Service Path CVE-2023-2417
Rating: 5 (149 reviews)
2023-05-03 | CVSS 6.9
## https://sploitus.com/exploit?id=PACKETSTORM:172105
# Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path  
# Date: 2023-04-23  
# CVE: CVE-2023-2417  
# Exploit Author: MrEmpy  
# Vendor Homepage: https://www.ks-soft.net  
# Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm  
# Version: > 12.56  
# Tested on: Windows 10 21H2  
  
  
Title:  
================  
Advanced Host Monitor > 12.56 - Unquoted Service Path  
  
  
Summary:  
================  
An unquoted service path vulnerability has been discovered in Advanced Host  
Monitor version > 12.56 affecting the executable "C:\Program Files  
(x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when  
the service's path is misconfigured, allowing an attacker to run a  
malicious file instead of the legitimate executable associated with the  
service.  
  
An attacker with local user privileges could exploit this vulnerability to  
replace the legitimate RMA-Win\rma_active.exe service executable with a  
malicious file of the same name and located in a directory that has a  
higher priority than the legitimate directory. That way, when the service  
starts, it will run the malicious file instead of the legitimate  
executable, allowing the attacker to execute arbitrary code, gain  
unauthorized access to the compromised system, or stop the service from  
functioning.  
  
To exploit this vulnerability, an attacker would need local access to the  
system and the ability to write and replace files on the system. The  
vulnerability can be mitigated by correcting the service path to correctly  
quote the full path of the executable, including quotation marks.  
Furthermore, it is recommended that users keep software updated with the  
latest security updates and limit physical and network access to their  
systems to prevent malicious attacks.  
  
  
Proof of Concept:  
================  
  
C:\>sc qc ActiveRMAService  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: ActiveRMAService  
TYPE : 110 WIN32_OWN_PROCESS (interactive)  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files  
(x86)\HostMonitor\RMA-Win\rma_active.exe /service  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : KS Active Remote Monitoring Agent  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem