Executive Summary

CVE-2020-36933 is an unquoted service path vulnerability in the PassThru Service configuration of HTC IPTInstaller version 4.0.9. Because the service's binary path is not enclosed in quotes, an attacker with local access can place a malicious executable in a path that Windows misinterprets due to spaces in directory names. When the service starts, it may execute the malicious code with elevated LocalSystem privileges, allowing the attacker to run code with high-level system rights. [1, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with local access to escalate their privileges to LocalSystem level by injecting and executing malicious code through the unquoted service path. This means the attacker can gain full control over the affected system, compromising confidentiality, integrity, and availability of the system and its data. [1, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the service configuration for unquoted service paths. Specifically, you can use the Windows command `sc qc "PassThru Service"` to query the service configuration and look for unquoted paths in the binary path. An unquoted path with spaces, such as `C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe`, indicates the vulnerability. [3]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately update the service path to be properly quoted to prevent path hijacking. Alternatively, ensure that the service binary path does not contain spaces or move the executable to a path without spaces. Additionally, restrict local access to trusted users only, as the exploit requires local access with low complexity. Applying any available patches or updates from HTC for IPTInstaller 4.0.9 is also recommended. [1, 3]

Useful 0 Not Useful 0