OCS Inventory: Windows Agent

Windows Unquoted Service Path Enumeration

Bug #1378074 reported by nerijus on 2014-10-06

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OCS Inventory: Windows Agent	Fix Released	Undecided	Unassigned

Bug Description

Nessus security scanner reports the following:
"The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service.

Solution
Ensure that any services that contain a space in the path enclose the path in quotes.

Nessus found the following service with an untrusted path :
OCS Inventory Service : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe"

It would be nice if installer created the service with a quoted path.

nerijus (nerijus-users) on 2014-10-06

information type:

Private Security → Public

Revision history for this message

anonymous (taine0) wrote on 2017-09-18:

I'm using a powershell script now to rewrite all the records in the registry. Any idea of hen this easy thing can be fixed? To be a big risk as it is one of the few services in our domain containing unquoted paths.

Revision history for this message

nerijus (nerijus-users) wrote on 2017-09-18:

Actually it should be quite easy to fix it. You have to find the place in the source code (https://github.com/OCSInventory-NG/WindowsAgent), add quotes in it and post a patch or Pull request.

Revision history for this message

nerijus (nerijus-users) wrote on 2017-09-18:

It seems service is created in https://github.com/OCSInventory-NG/WindowsAgent/blob/master/Service/NTService.cpp CNTService::Install()
Do you know where the quotes should be added?

Revision history for this message

nerijus (nerijus-users) wrote on 2017-09-18:

I might have fixed it by https://github.com/OCSInventory-NG/WindowsAgent/pull/46

Revision history for this message

anonymous (taine0) wrote on 2017-09-19:

I know, it's quite easy, but having to compile from source every time it's kind of useless as we all need this. At least to me, I'd rather see this merged in PROD.

Revision history for this message

anonymous (taine0) wrote on 2017-09-19:

Looks good tho, might have a test today:

+ szFilePath[0] = szFilePath[len + 1] = TEXT('\"');
+ szFilePath[len + 2] = 0;

Revision history for this message

nerijus (nerijus-users) wrote on 2017-09-19:

That's why I said "post a patch or Pull request" after you fix it. So that the fix is included in the next version and you don't have to compile from source.

Revision history for this message

nerijus (nerijus-users) wrote on 2017-09-23:

PR was merged, so in the next release the bug should be fixed.

Revision history for this message

anonymous (taine0) wrote on 2017-09-24:

Thanks @Nerijus

nerijus (nerijus-users) on 2017-09-24

Changed in ocsinventory-windows-agent:
status:	New → Fix Committed

nerijus (nerijus-users) on 2017-10-04

Changed in ocsinventory-windows-agent:
status:	Fix Committed → Fix Released

Revision history for this message

nerijus (nerijus-users) wrote on 2017-10-04:

#10

The fix in the released 2.3.1 version, unfortunately, it does not quote the path if service is already installed. You have to uninstall older agent first, which is unfortunate, as you cannot mass upgrade (deploy).

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.