Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Update service_windows.go to avoid "unquoted search path" windows service issue #290

Closed
wants to merge 1 commit into from

Conversation

ghost
Copy link

@ghost ghost commented Aug 4, 2021

wrap exepath in quotes to avoid "unquoted search path" with windows services

wrap exepath in quotes to avoid "unquoted search path" with windows services
@KatelynHaworth
Copy link
Contributor

@kardianos are you able to review this PR? This issue is affecting the company I work for and if possible we would prefer to keep using your lib rather than a fork with this change.

@ghost
Copy link
Author

ghost commented Apr 25, 2022

I requested CVE-2022-29583 from MITRE

@masinger
Copy link

@trespassing-potato Could it be that you got fooled by your security scanner?

Because if you step into the m.CreateService(... call at line 256, you will see that the path is already being escaped by a call to syscall.EscapeArg() (see https://docs.microsoft.com/en-us/previous-versions/ms880421(v=msdn.10)?redirectedfrom=MSDN).

@twz123
Copy link

twz123 commented Apr 26, 2022

@trespassing-potato Do you maybe have a reproducer that triggers the vulnerability? What would a malicious input look like?

@ghost
Copy link
Author

ghost commented Apr 27, 2022

Hello! As I mentioned in #289 I tried to actually reproduce the issue discovered by our vulnerability scanner - but the added service in question (telegraf) does have a fully quoted path.

I apologize, I should have verified before doing anything :)

This pull request was closed.
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants