Can you explain this vulnerability to me?

This vulnerability is an unquoted service path issue in the LogonExpertSvc service of LogonExpert version 8.1. Because the service path contains spaces and is not enclosed in quotes, Windows may misinterpret the path and execute malicious executables placed in intermediate directories. This allows an attacker with local access to place a crafted executable in these directories, which will be run with LocalSystem privileges when the service starts, leading to privilege escalation. [2, 3]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

An attacker with local access can exploit this vulnerability to execute malicious code with elevated system privileges (LocalSystem). This can lead to full system compromise, unauthorized access, and control over the affected machine, bypassing normal security restrictions. [2, 3]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking the service path of the LogonExpertSvc service for unquoted paths containing spaces. You can use the Windows Management Instrumentation Command-line (WMIC) to list services with automatic start mode excluding those in the Windows directory and those with quoted paths. Specifically, you can run the command: `sc qc LogonExpertSvc` to query the service configuration and confirm if the binary path is unquoted. [3]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include correcting the unquoted service path by quoting the entire path of the LogonExpertSvc service executable to prevent execution of malicious executables in intermediate directories. Additionally, ensure that only trusted users have write permissions to the directories in the service path to prevent placing malicious executables. Applying updates or patches from the vendor when available is also recommended. [2, 3]

Useful 0 Not Useful 0