Vulners
Lucene search
Advanced Host Monitor v12.56 - Unquoted Service Path
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | Advanced Host Monitor v12.56 - Unquoted Service Path Vulnerability | 2 May 202300:00 | – | zdt |
 | KS-Soft HostMonitor 代码问题漏洞 | 29 Apr 202300:00 | – | cnnvd |
 | CVE-2023-2417 | 29 Apr 202300:31 | – | cve |
 | CVE-2023-2417 ks-soft Advanced Host Monitor rma_active.exe unquoted search path | 29 Apr 202300:31 | – | cvelist |
 | EUVD-2023-33907 | 3 Oct 202520:07 | – | euvd |
 | CVE-2023-2417 | 29 Apr 202301:15 | – | nvd |
 | Advanced Host Monitor 12.56 Unquoted Service Path | 3 May 202300:00 | – | packetstorm |
 | Information disclosure | 29 Apr 202301:15 | – | prion |
 | PT-2023-19457 · Ks Soft · Advanced Host Monitor | 29 Apr 202300:00 | – | ptsecurity |
 | CVE-2023-2417 | 23 May 202503:20 | – | redhatcve |
10
# Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path
# Date: 2023-04-23
# CVE: CVE-2023-2417
# Exploit Author: MrEmpy
# Vendor Homepage: https://www.ks-soft.net
# Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm
# Version: > 12.56
# Tested on: Windows 10 21H2
Title:
================
Advanced Host Monitor > 12.56 - Unquoted Service Path
Summary:
================
An unquoted service path vulnerability has been discovered in Advanced Host
Monitor version > 12.56 affecting the executable "C:\Program Files
(x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when
the service's path is misconfigured, allowing an attacker to run a
malicious file instead of the legitimate executable associated with the
service.
An attacker with local user privileges could exploit this vulnerability to
replace the legitimate RMA-Win\rma_active.exe service executable with a
malicious file of the same name and located in a directory that has a
higher priority than the legitimate directory. That way, when the service
starts, it will run the malicious file instead of the legitimate
executable, allowing the attacker to execute arbitrary code, gain
unauthorized access to the compromised system, or stop the service from
functioning.
To exploit this vulnerability, an attacker would need local access to the
system and the ability to write and replace files on the system. The
vulnerability can be mitigated by correcting the service path to correctly
quote the full path of the executable, including quotation marks.
Furthermore, it is recommended that users keep software updated with the
latest security updates and limit physical and network access to their
systems to prevent malicious attacks.
Proof of Concept:
================
C:\>sc qc ActiveRMAService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ActiveRMAService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files
(x86)\HostMonitor\RMA-Win\rma_active.exe /service
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : KS Active Remote Monitoring Agent
DEPENDENCIES :
SERVICE_START_NAME : LocalSystemData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 May 2023 00:00Current
7.8High risk
Vulners AI Score7.8
CVSS 3.15.3 - 7.8
CVSS 24.3
CVSS 35.3
EPSS0.00087
SSVC