Unquoted Path to Spectrum Services binary/executable
book
Article ID: 130227
calendar_today
Updated On:
Products
CA Spectrum
Issue/Introduction
A Pentest on customers estate identified a potential flaw in Spectrum SRAdmin service declaration: The path to the executable has not been enclosed within quotation marks.
This could potentially be exploited by a hacker to trick windows to search for service binaries on alternate paths. This could be exploited by a low privileged user to cause the service to launch an arbitrary executable which would run with a higher privilege level than that of the user (a privilege escalation attack). This appears to match to CWE-427 / https://cwe.mitre.org/data/definitions/427.html
Customer security is asking the question 'enclose the binary path string in quotation marks as shown below (CWE-427 vulnerability): sradmin : “C:\Program Files (x86)\SRAdmin\sradmin.exe” - Will this be possible/how can this risk be negated or mitigated?
Environment
This applies to all supported CA Spectrum Windows server platforms.
Resolution
Using "regedit" (windows registry editor) for Windows service declaration update - then modify ImagePath string. Value 3 Name: ImagePath Type: REG_EXPAND_SZ Data: C:\win32app\sradmin\sradmin.exe
Updated to Data: "C:\win32app\sradmin\sradmin.exe"
Additional Information
CA Spectrum Service registration into Windows registry for the "sradmin" service - this is declared during install to:
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sradmin Class Name: <NO CLASS>
Value 0 - Name: Type Type: REG_DWORD Data: 0x10 Value 1 - Name: Start Type: REG_DWORD Data: 0x3 Value 2 - Name: ErrorControl Type: REG_DWORD Data: 0x1 Value 3 - Name: ImagePath Type: REG_EXPAND_SZ Data:C:\win32app\sradmin\sradmin.exe Value 4 - Name: DisplayName Type: REG_SZ Data: SPECTRUM Remote Admin Value 5 - Name: WOW64 Type: REG_DWORD Data: 0x1 Value 6 - Name: ObjectName Type: REG_SZ Data: LocalSystem Value 7 - Name: Description Type: REG_SZ Data: CA Spectrum Remote Administration Daemon
Did modification per manual "regedit" - then modified path to executable covering "double-quotes" to:
--> Value 3 - Data: "C:\win32app\sradmin\sradmin.exe"
Then restarted the "sradmin"-service and this works fine.