WPKG-GP Service Trusted Path Privilege Escalation’

[GoogleCodeExporter]

An examination of the path installed for the WPKG-GP service shows that the 
path is not quoted.  This has the possibility for exploitation and running 
arbitrary software (though default filesystem ACLs provide some level of 
protection).

Specifically, WPKG-GP installs its service with a path of:

C:\Program Files\Wpkg-GP\WpkgServer.exe

If a malicious program named "Program.exe" were installed in C:\ and the 
WPKG-GP service were then (re-)started, the malicious program would be executed 
instead.

Best practice for service image paths would indicate that the path should be:

"C:\Program Files\Wpkg-GP\WpkgServer.exe"

This remediates the problem for the WPKG-GP service.

See:

http://www.tenable.com/sc-report-templates/microsoft-windows-unquoted-service-pa
th-enumeration

What version of the product are you using? On what operating system?

0.15 on Windows 7/XP

Paul

Original issue reported on code.google.com by paul.ort...@gmail.com on 29 Jul 2013 at 4:49