Unquoted Path to Spectrum Services binary/executable

book

Article ID: 130227

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

A Pentest on customers estate identified a potential flaw in Spectrum SRAdmin service declaration: The path to the executable has not been enclosed within quotation marks.

This could potentially be exploited by a hacker to trick windows to search for service binaries on alternate paths. This could be exploited by a low privileged user to cause the service to launch an arbitrary executable which would run with a higher privilege level than that of the user (a privilege escalation attack).
This appears to match to CWE-427 / https://cwe.mitre.org/data/definitions/427.html
 

 

Customer security is asking the question 'enclose the binary path string in quotation marks as shown below (CWE-427 vulnerability):
sradmin : “C:\Program Files (x86)\SRAdmin\sradmin.exe” - Will this be possible/how can this risk be negated or mitigated?

 

Environment

This applies to all supported CA Spectrum Windows server platforms.
 

Resolution

Using "regedit" (windows registry editor) for Windows service declaration update - then modify ImagePath string.
Value 3 Name: ImagePath Type: REG_EXPAND_SZ Data: C:\win32app\sradmin\sradmin.exe

Updated to Data: "C:\win32app\sradmin\sradmin.exe"

 

Additional Information

CA Spectrum Service registration into Windows registry for the "sradmin" service - this is declared during install to: 

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sradmin 
Class Name: <NO CLASS> 

Value 0 - Name: Type Type: REG_DWORD Data: 0x10 
Value 1 - Name: Start Type: REG_DWORD Data: 0x3 
Value 2 - Name: ErrorControl Type: REG_DWORD Data: 0x1 
Value 3 - Name: ImagePath Type: REG_EXPAND_SZ Data: C:\win32app\sradmin\sradmin.exe 
Value 4 - Name: DisplayName Type: REG_SZ Data: SPECTRUM Remote Admin 
Value 5 - Name: WOW64 Type: REG_DWORD Data: 0x1 
Value 6 - Name: ObjectName Type: REG_SZ Data: LocalSystem 
Value 7 - Name: Description Type: REG_SZ Data: CA Spectrum Remote Administration Daemon 



Did modification per manual "regedit" - then modified path to executable covering "double-quotes" to: 

--> Value 3 - Data: "C:\win32app\sradmin\sradmin.exe" 

Then restarted the "sradmin"-service and this works fine.