Unquoted Service Path in Perimeter 81 Agent
Vulnerability Summary
An Unquoted Service Path vulnerability exists in the Perimeter81.HelperService Windows Service, which is installed along side the Perimeter 81 Windows Agent. The vulnerability is present in the latest version of Perimeter 81 (9.0.2.1195) and may exist in previous versions.
Successful exploitation of this vulnerability would allow a low-privileged user to run arbitrary code as SYSTEM, making this a privilege escalation vector carrying a CVSS 3.1 Base Score of 7.8 (High).
This vulnerability was discovered and successfully exploited in a test environment in February 2023 by Endure Secure.
Technical Details
Test Environment
| Edition | Windows Server 2022 Standard |
| Version | 21H2 |
| OS Build | 20348.587 |
Vulnerable Software
Installer
| Software | Perimeter 81 9.0.2.1195 |
| File Name | Perimeter81_9.0.2.1195.msi |
| SHA1 | eb071d9c129772b0fd670796ebff7eb3ad02dbce |
| URL | https://static.perimeter81.com/agents/windows/Perimeter81_9.0.2.1195.msi |
Service
| Service Name | Perimeter81.HelperService |
| Path to Executable | C:\Program Files\Perimeter 81\Perimeter81.HelperService.exe |
| SHA1 | 911236b8f193eeeb98e12def5ee8275aef2689e7 |
Explanation
This type of vulnerability is categorised by MITRE as T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path:
“Service paths and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe") An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program.”
References:
As, by default, the Perimeter81.HelperService.exe is installed in a path with two spaces in it, (C:\Program Files\Perimeter 81\Perimeter81.HelperService.exe), there are two locations a User could attempt to introduce there own file which would then be executed as SYSTEM:
- C:\Program.exe
- C:\Program Files\Perimeter.exe
For the program to be executed, the Service would have to be restarted after introducing these files. If the User did not have permissions to restart the Service, they could instead restart the computer as the service is set to start automatically.
Endure Secure has tested and confirmed the exploitability of this vulnerability by compiling an executable named ‘Perimeter.exe’ and inserting it into the path (C:\Program Files\Perimeter.exe). The executable ran a command which added our low-privilege User into the Administrators group. After restarting the computer, the Service started, and our User had been added into the Administrators group.
CVSS 3.1 Score
CVSS Base Score: 7.8
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Recommendations
Change the ‘Path to executable’ for the Perimeter81.HelperService from:
<path>\Perimeter 81\Perimeter81.HelperService.exeto
"<path>\Perimeter 81\Perimeter81.HelperService.exe”Example:
C:\Program Files\Perimeter 81\Perimeter81.HelperService.exeto
“C:\Program Files\Perimeter 81\Perimeter81.HelperService.exe”Disclosure Timeline
- 2023-02-05 – Disclosed vulnerability details to Perimeter 81.
- 2023-02-05 – Perimeter 81 support acknowledged receipt of vulnerability details and say they will pass to their security team.
- 2023-02-10 – Received notice from Perimeter 81 that our case had been resolved without any explanation. Sent a follow-up email asking for more information.
- 2023-02-15 – Advised by Perimeter 81 that they do not consider this to be a vulnerability and will not make any changes to the application.*
- 2023-02-15 – Advised Perimeter 81 that we will publish details about the vulnerability.
*NOTE: Endure Secure respects the rights of software publishes to make a risk-based decision on whether to address vulnerabilities. We also believe that publishing details of discovered vulnerabilities, no matter how exploitable, is important to allow users to make a risk-based decision when using software products.