Unquoted service path vulnerability in PCoIP Agents for Windows 19.08.0 and earlier, and PCoIP Clients for Windows 19.08.2 and earlier

Rate this Article
Average: 1 (1 vote)

November 8, 2020

Last modified: 09/03/2023, 6:10 pm

Knowledge Base Article Advisory Security HP Anyware
Last revised 2019-Dec-06
 

Summary

An unquoted service path vulnerability has been discovered in PCoIP Standard Agent for Windows and PCoIP Graphics Agent for Windows, versions 19.08.0 and earlier, and also in PCoIP Client for Windows versions 19.08.2 and earlier.
 

When affected versions of a PCoIP Agent for Windows are installed, 'PCoIPArbiterService' and 'PCoIPPrintingSvc' services are created, in which the path to the executable contains whitespace and is unquoted. If an attacker inserted an executable into the file path at the whitespace, it would result in that file being launched with SYSTEM privileges.
 

When affected versions of a PCoIP Client for Windows is launched, Shcore.dll or user32.dll are loaded, where the path to the executable contains whitespace and is unquoted. If an attacker inserted an executable into the path at the whitespace, it would result in that file being launched with the user privileges.  

 

Severity

Medium

 

Affected Products

  • PCoIP Standard Agent for Windows 19.08.0 and earlier
  • PCoIP Graphics Agent for Windows 19.08.0 and earlier
  • PCoIP Client for Windows 19.08.2 and earlier

 

Available Updates

  • PCoIP Agent (Standard or Graphics) for Windows, 19.08.1
  • PCoIP Agent (Standard or Graphics) for Windows, 19.11 and later
  • PCoIP Client for Windows 19.08.3
  • PCoIP Client for Windows 19.11 and later

 

Workarounds and Mitigations

There are no workarounds that address this vulnerability. To mitigate the vulnerability, update the PCoIP Agent for Windows to 19.08.1 (or later) and update the PCoIP Client to 19.08.3 (or later).

 

Technical Details

A potential malicious usage of the Teradici PCoIP Printing Service (pcoip_vchan_printing_svc.exe) has been discovered, allowing one to execute an arbitrary unsigned executable as an Administrator while starting the service, and run with NT AUTHORITY\SYSTEM privileges instead of the signed service process (Privilege Escalation, Whitelisting Bypass, Persistence).
 

A potential malicious usage of the Shcore.dll and user32.dll on the PCoIP client has been discovered, allowing one to execute an arbitrary unsigned executable at the user privilege level.

 

This may impact users as follows:

  1. It allows an attacker to use the service as an execution/persistence mechanism which executes a malicious program each time the service is started.
  2. It executes an arbitrary EXE file and executes it with NT AUTHORITY\SYSTEM permissions.
  3. It executes an arbitrary dll file with user permissions on the client system.

This is an unquoted search path vulnerability (https://cwe.mitre.org/data/definitions/428.html), which is caused by the lack of using quoted string in the service executable path.
 

An arbitrary EXE file can be executed instead of the pcoip_vchan_printing_svc.exe signed process (can be used for various whitelisting attacks), without even creating a new service.
 

An arbitrary dll file can be executed instead of the Shcore.dll or user32.dll.
 

During the starting process of the PCoIP Printing Service, the services.exe process will try to look and spawn the executable file of the service. The services.exe process will try to execute the following path before it will execute the original pcoip_vchan_printing_svc.exe executable:

C:\Program.exe
C:\Program Files (x86)\Teradici\PCoIP.exe

This issue happens because the filename of the executable contains a space and is not wrapped as a quoted string. The CreateProcess function will split the path of the “C:\Program Files (x86)\Teradici\PCoIP Agent” folder once it parses the space.
 

As mentioned in the CreateProcess documentation in MSDN (https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa):
 

If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:
 
c:\program.exe c:\program files\sub.exe c:\program files\sub dir\program.exe c:\program files\sub dir\program name.exe

 

References

The following article describes the vulnerability in detail: https://www.commonexploits.com/unquoted-service-paths/
 

One can also us the following PowerShell script to reveal  services and software with unquoted paths to executables: https://github.com/VectorBCO/windows-path-enumerate/blob/Version-3.3.1/Windows_Path_Enumerate.ps1

 

Acknowledgements

We would like to thank Peleg Hadar of the SafeBreach https://safebreach.com/ team for finding and reporting this vulnerability.