Introduction

Commit ​8795ccfd25 to openvpn-build made the NSIS installer manage services using SimpleSC NSIS plugin. The new service management commands did not properly quote service paths which created a subtle vulnerability.

The vulnerability can be easily exploited, but only on systems where the C:\ drive is writeable by limited user(s). Users of such systems are urged to upgrade to openvpn-install-2.4.3-I602 or later as soon as possible.

Thanks to Jason Haar for finding and reporting this issue! The original Nessus report is available below.

Original Nessus report

Description

The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.

Note that this is a generic test that will flag any application affected by the described vulnerability.

Solution

Ensure that any services that contain a space in the path enclose the path in quotes.

See Also

• ​http://www.nessus.org/u?84a4cc1c
• ​http://cwe.mitre.org/data/definitions/428.html
• ​https://www.commonexploits.com/unquoted-service-paths/
• ​http://www.nessus.org/u?4aa6acbc

Output

Nessus found the following services with an untrusted path:

• OpenVPNServiceLegacy : C:\Program Files\OpenVPN\bin\openvpnserv.exe
• OpenVPNServiceInteractive : C:\Program Files\OpenVPN\bin\openvpnserv.exe