wiki:UnquotedServicePathIn24WindowsInstallers

Version 2 (modified by Samuli Seppänen, 7 years ago) (diff)

--

Introduction

Commit 8795ccfd25 to openvpn-build made the NSIS installer manage services using SimpleSC NSIS plugin. The new service management commands did not properly quote service paths which created a subtle medium-level vulnerability. The vulnarability can be exploited if two conditions are met:

  • The C:\ drive is writeable by limited user(s)
  • OpenVPN was installed using official OpenVPN 2.4 Windows installers

Users of such systems are urged to upgrade to openvpn-install-2.4.3-I602 or later as soon as possible.

Thanks to Jason Haar for finding and reporting this issue! The original Nessus report is available below.

Original Nessus report

Description

The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.

Note that this is a generic test that will flag any application affected by the described vulnerability.

Solution

Ensure that any services that contain a space in the path enclose the path in quotes.

See Also

Output

Nessus found the following services with an untrusted path:

  • OpenVPNServiceLegacy : C:\Program Files\OpenVPN\bin\openvpnserv.exe
  • OpenVPNServiceInteractive : C:\Program Files\OpenVPN\bin\openvpnserv.exe