Security #8600
closedwindows: unquoted LocalSystem service ImagePath
Description
Hello OISF Security Team,
I’m reporting a local privilege escalation issue in Suricata’s Windows service
install/update logic.
The attached report includes source-level analysis, positive and negative PoC
controls, writable-parent validation, and live disposable SCM validation showing
execution as SYSTEM / S-1-5-18.
Summary¶
Suricata’s SCServiceInstall and SCServiceChangeParams build a Windows service
ImagePath by taking GetModuleFileName, appending arguments with spaces, and
passing the unquoted result to CreateService / ChangeServiceConfig. When
Suricata is installed under a path containing spaces, Windows may resolve and
execute an earlier attacker-controlled path component. Because the service is
configured to run as LocalSystem, this can lead to local privilege escalation in
writable-parent deployments.
Impact¶
Arbitrary code execution as LocalSystem on affected Windows hosts, subject to
installation path, ACLs, and service start/restart conditions.
I assess this as High severity: deployment-dependent local privilege escalation,
not remotely triggerable by network traffic.
I look forward to your review and am happy to provide any additional details
needed.
Regards,
Yazdan Soltani
Files
PA Updated by Philippe Antoine 26 days ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Philippe Antoine
Gitlab MR
PA Updated by Philippe Antoine 26 days ago
- Severity set to LOW
PA Updated by Philippe Antoine 21 days ago
- Target version changed from TBD to 9.0.0-beta1
- Label Needs backport to 8.0 added
OT Updated by OISF Ticketbot 21 days ago
- Subtask #8627 added
OT Updated by OISF Ticketbot 21 days ago
- Label deleted (
Needs backport to 8.0)
OT Updated by OISF Ticketbot 7 days ago
- Subtask #8665 added
OT Updated by OISF Ticketbot 7 days ago
- Label deleted (
Needs backport to 7.0)
PA Updated by Philippe Antoine 5 days ago
- Status changed from In Review to Resolved