Possible vulnerability "Unquoted Service Path Enumeration"

Bug reports will be moved here when the described bug has been fixed

Moderators: white, Hacker, petermad, Stefan2

Post Reply
mb31
Junior Member
Junior Member
Posts: 2
Joined: 2021-12-29, 19:32 UTC

Possible vulnerability "Unquoted Service Path Enumeration"

Post by *mb31 »

The vulnerability is about unquoted services, that;s not the issue.
But the uninstall string is not quoted and a small security risk.
Better practise is also quoting the uninstall path if necessary.

PS C:\script> .\Windows_Path_Enumerate.ps1 -FixUninstall -FixServices:$False -WhatIf
*********************************************************************
2021-12-29 20:26:05Z : INFO : ComputerName: ********
2021-12-29 20:26:05Z : INFO : Executed x64 Powershell on x64 OS
2021-12-29 20:26:05Z : Old Value : Software : 'Totalcmd64' - C:\Program Files\Totalcmd\tcunin64.exe
2021-12-29 20:26:05Z : Expected : Software : 'Totalcmd64' - "C:\Program Files\Totalcmd\tcunin64.exe"

Script source: https://github.com/VectorBCO/windows-path-enumerate
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Possible vulnerability "Unquoted Service Path Enumeration"

Post by *ghisler(Author) »

Do you mean the UninstallString value in
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Totalcmd64
?
The only problem I see is when someone plants a file named c:\program, but you need administrator rights to put a file in c:\, so it's not a big problem - if the attacker already has admin rights, he can do what he wants. Or do I miss something?
Author of Total Commander
https://www.ghisler.com
mb31
Junior Member
Junior Member
Posts: 2
Joined: 2021-12-29, 19:32 UTC

Re: Possible vulnerability "Unquoted Service Path Enumeration"

Post by *mb31 »

Yes, it's a very minor one.
You need administrator rights.

Could be an issue when an other user triggers the uninstall and that user has more privileges e.g. in a domain.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Possible vulnerability "Unquoted Service Path Enumeration"

Post by *ghisler(Author) »

Another user with admin rights could simply remove the uninstaller or even the Total Commander executable with malware.
There is a hypothetical problem when the user has write rights to the drive root, but not to "Program Files", but that's quite improbable. I will change the installer, though, because it's very easy to change.
Author of Total Commander
https://www.ghisler.com
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Possible vulnerability "Unquoted Service Path Enumeration"

Post by *ghisler(Author) »

This has been changed in TC 10.5 beta.
Author of Total Commander
https://www.ghisler.com
Post Reply