Executive Summary

CVE-2022-50921 is an unquoted service path vulnerability in WOW21 version 5.0.1.9. This means the service executable path is not enclosed in quotes, which can allow a local attacker to place a malicious executable in a location that the system mistakenly executes instead of the intended service binary. When the service starts, it runs the malicious executable with elevated LocalSystem privileges, potentially allowing arbitrary code execution with high system privileges. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a local attacker with limited privileges to escalate their privileges to LocalSystem level by exploiting the unquoted service path. This means the attacker can execute arbitrary code with the highest system privileges, potentially leading to full system compromise, unauthorized access, and control over the affected machine. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by checking if the WOW21_Service has an unquoted service path. On a Windows system, use the command: sc qc WOW21_Service. This will display the service configuration including the binary path. If the path to the executable is unquoted and contains spaces (e.g., C:\Program Files\WOW21\WOW21_Service.exe without quotes), the system is vulnerable to this unquoted service path issue. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately quote the service binary path in the service configuration to prevent the system from misinterpreting the path. This can be done by editing the service configuration to enclose the executable path in double quotes. Alternatively, update WOW21 to a version where this vulnerability is fixed or remove the vulnerable service if it is not needed. Restrict local user permissions to prevent unauthorized modification of directories in the service path. [1, 2]

Useful 0 Not Useful 0