# Exploit Title: Veyon 4.4.1 - 'VeyonService' Unquoted Service Path# Discovery by: Víctor García# Discovery Date: 2020-03-23# Vendor Homepage: https://veyon.io/# Software Link: https://github.com/veyon/veyon/releases/download/v4.4.1/veyon-4.4.1.0-win64-setup.exe# Tested Version: 4.4.1# Vulnerability Type: Unquoted Service Path# Tested on: Windows 10 Pro x64# CVE: CVE-2020-15261# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i
"auto"|findstr /i /v "C:\Windows\\"|findstr /i /v """
Veyon Service VeyonService C:\Program Files\Veyon\veyon-service.exe
# Service info:
C:\>sc qc VeyonService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VeyonService
TYPE : 10WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL: 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Veyon\veyon-service.exe
LOAD_ORDER_GROUP :
TAG: 0
DISPLAY_NAME : Veyon Service
DEPENDENCIES : Tcpip
: RpcSs
SERVICE_START_NAME : LocalSystem
# Exploit:# A successful attempt would require the local user to be able to insert their code in the# system root path undetected by the OS or other security applications where it could# potentially be executed during application startup or reboot. If successful, the local# user's code would execute with the elevated privileges of the application.
