EG Free AntiVirus 2020 Privilege Escalation / Unquoted Service Path – Torchsec
# Date: 24/01/2022
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: http://www.egsoftweb.in/index.aspx
# Software Link: http://www.egsoftweb.in/OurProduct_Readmore.aspx?id=6
# Version: 2020
# Tested: Windows 10 (x64)
# CVE: CVE-2021-46439
-------------
Description:
-------------
EG Free AntiVirus (v2020) installs a service (WinSEGAV AutoConfig) with
an unquoted service path. Since this service is running as SYSTEM, it
creates a local privilege escalation vulnerability. To properly exploit
this vulnerability, a local attacker must insert an executable in the
path of the service. Rebooting the system or restarting the service
will run the malicious executable with elevated privileges.
------------------
Proof of Concept:
------------------
C:Usersshah>sc qc “WinSEGAV AutoConfig”
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WinSEGAV AutoConfig
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program FilesEGSoftWebEG Anti
Virusegavser.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Service For EG Free AntiVirus
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Best regards,
Shahrukh Iqbal Mirza.
Gloss