Suricata

Hello OISF Security Team,

I’m reporting a local privilege escalation issue in Suricata’s Windows service
install/update logic.

The attached report includes source-level analysis, positive and negative PoC
controls, writable-parent validation, and live disposable SCM validation showing
execution as SYSTEM / S-1-5-18.

Summary¶

Suricata’s SCServiceInstall and SCServiceChangeParams build a Windows service
ImagePath by taking GetModuleFileName, appending arguments with spaces, and
passing the unquoted result to CreateService / ChangeServiceConfig. When
Suricata is installed under a path containing spaces, Windows may resolve and
execute an earlier attacker-controlled path component. Because the service is
configured to run as LocalSystem, this can lead to local privilege escalation in
writable-parent deployments.

Impact¶

Arbitrary code execution as LocalSystem on affected Windows hosts, subject to
installation path, ACLs, and service start/restart conditions.

I assess this as High severity: deployment-dependent local privilege escalation,
not remotely triggerable by network traffic.

I look forward to your review and am happy to provide any additional details
needed.

Regards,
Yazdan Soltani