Windows service: unquoted service path can allow for privilege escalation

[ghost]

Hello!

We use Telegraf (which depend on this library) and our vulnerability scanner notifies us of the following vulnerability with the telegraf service: Windows Unquoted Search Path or Element can allow local privilege escalation

I did some brief digging around and I think the problem boils down to this line:

service/service_windows.go

Line 226 in 36c9bf8

exepath, err := ws.execPath()

Here you take the path to the executing program (if I understood correctly) and later use it when you install the service. Doing this without adding quotes to the path means that the unquoted service path issue comes into effect.

You should be able to simply add quotes to the path, and in doing to solve the issue at hand.

[ghost]

see #290

[ghost]

Hello?

[masinger]

@trespassing-potato Could it be that you got fooled by your security scanner?

Because if you step into the m.CreateService(... call at line 256, you will see that the path is already being escaped by a call to syscall.EscapeArg() (see https://docs.microsoft.com/en-us/previous-versions/ms880421(v=msdn.10)?redirectedfrom=MSDN).

Note: I copied the comment from the pull request #290 - just in case someone stumbles upon this issue.

[ghost]

Yes, I believe so. I should have looked into it further before raising this issue, my apologies!

(I tried to reproduce the issue discovered by our scanner, but the installed service in question (telegraf) has a quoted path).

Also sent an email to MITRE regarding the CVE I requested, and asked them to mark it as invalid.

[breakpointninja]

@trespassing-potato This vulnerability CVE-2022-29583 still shows up in scans. And its still not marked as invalid. Can you please help ?