Unquoted service path

Question

Unquoted service path

Mohad0 opened this issue 4 years ago · 4 comments

Hi GVFS team,

After installing SetupGVFS.1.0.21014.1.exe from https://github.com/microsoft/VFSForGit/releases/download/v1.0.21014.1/SetupGVFS.1.0.21014.1.exe, I noticed that its service is hijackable due to the unquoted service path. Using this vulnerability, attackers can execute different files as GVFS.Service. It allows local users to replace the service with arbitrary code to escalate their privileges. I hope you check this link for more details: https://cwe.mitre.org/data/definitions/428.html

Answer 1 · 2021-02-08T02:31:39.000Z

Hello, @Mohad0. Please email me with more details. derrickstolee at github.com.

Answer 2 · 2021-02-17T16:48:45.000Z

Hi, @Mohad0, have you sent me an email? I haven't seen one, even in my spam folder.

I'd like to hear more details so I can investigate this.

Answer 3 · 2021-03-04T23:56:58.000Z

I am sorry for the late reply, just sent an email.

Answer 4 · 2021-03-15T15:25:31.000Z

Thanks for your interest here. I did learn something during the investigation. However, I'm unable to reproduce (both by scanning the code for uses and by creating the problematic file and running the installers). I'm going to close this as "unable to repro".

@Mohad0: if you really have a demonstration of this vulnerability that is consistent, then please consider using the GitHub Bug Bounty program to submit your details.