Executive Summary

This vulnerability is an unquoted service path issue in EPSON EasyMP Network Projection version 2.81. The service 'EMP_NSWLSV' runs from a path that contains spaces but is not enclosed in quotes. This allows a local attacker to place a malicious executable in a directory with higher priority in the path, such as "C:\Program Files (x86)\EPSON", which could then be executed with LocalSystem privileges when the service starts. Essentially, it enables privilege escalation by exploiting how Windows handles unquoted service paths. [1]

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows a local attacker to execute arbitrary code with LocalSystem privileges, which is the highest level of privilege on a Windows system. This can lead to full control over the affected system, including installing programs, viewing, changing, or deleting data, or creating new accounts with full user rights. [1]

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by checking the service path of the 'EMP_NSWLSV' service for unquoted spaces. On a Windows system, use the command: sc qc EMP_NSWLSV. If the binary path contains spaces and is not enclosed in quotes, the system is vulnerable. Additionally, you can manually inspect the service executable path at C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe to confirm the unquoted path issue. [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately update the service path to include quotes around the executable path to prevent execution of malicious code. Alternatively, update or patch EPSON EasyMP Network Projection to a version where this issue is fixed. As a temporary workaround, ensure that no malicious executables exist in directories higher in the path hierarchy (e.g., C:\Program Files (x86)\EPSON) and restrict local user permissions to prevent placing malicious files there. [1]

Useful 0 Not Useful 0