This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unquoted Path Vulnerability - please fix ASAP

lukg over 3 years ago

C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe /service - this service has an unquoted path.

Please fix it ASAP.

This thread was automatically locked due to age.

Top Replies

lukg over 3 years ago +1 verified

This is the reply from Sophos support: "This is known issue to Sophos and expected to be resolved in upcoming updates. You can change registry key and set "" manually after disabling Tamper Protection…

0 lukg over 3 years ago

I have created a support case with Sophos for this
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 3 years ago

Hello lukg,

just curious, which hmpalert.exe, Intercept X, and OS versions? I'm using it with the on-premise SESC and as far as I can see the paths are correctly quoted.

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 lukg over 3 years ago in reply to QC

We are using Sophos Endpont Advanced 10.8.10.3 and Sophos Intercept X 2.0.20
Cancel
Vote Up 0 Vote Down

Cancel
+1 lukg over 3 years ago

This is the reply from Sophos support:

"This is known issue to Sophos and expected to be resolved in upcoming updates.
You can change registry key and set "" manually after disabling Tamper Protection"
Cancel
Vote Up +1 Vote Down

Cancel
0 Sophos User930 over 3 years ago in reply to lukg

The HMPA component's installer was recently updated. I can only think this was introduced at that point as it wasn't always an issue as QC mentions. The EDR product even has a query for this named "Unquoted paths in the service registry keys":

Description:

Lists unquoted paths in the service registry keys. Unquoted paths allow an adversary to place an application in a higher-level directory so that Windows finds that application instead of the intended one. (MITRE category T1034)

Created by Sophos

SELECT
r.path,
r.data
FROM registry r
WHERE
r.path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%\ImagePath'
-- Check for data that looks like a path, does not start with a quote and contains a space
-- Note: If the data has a parameter with a . in it will be incorrectly matched
AND r.data like '%:\%'
AND r.data not like '"%'
AND rtrim(r.data, replace(r.data, '.', '')) LIKE '% %'

I assume it will be fixed at the first opportunity.
Cancel
Vote Up 0 Vote Down

Cancel
0 Yashraj S over 3 years ago in reply to lukg

Hi lukg,

Thank you for updating the community thread. I've marked your response as an answer.

Thanks,

Yashraj Singha
Manager | Global Community Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
+1 PavSupport over 3 years ago

Its fixed in Hitmanpro version 3.8.2 which doesn't have announced dates yet, but this version is already available as a Hotfix. Hotfix after some testing becomes a part of general release (likely in June sometime). Here is the Hotfix download link:

https://support.sophos.com/support/s/article/KB-000038477?language=en_US

For context, this article describes how to exploit this vulnerability https://gracefulsecurity.com/privesc-unquoted-service-path/

This is considered a low-risk vulnerability, as it would only succeed when all 3 of the conditions below are in effect:

1) admin access on a system in order to make c:\program.exe

2) The AV completely failed to detect program.exe

3) Whatever exploit they used to get admin rights was not blocked by Hitmanpro

If the attacker already managed to bypass AV and has full admin access, then there is no reason for them to use this vulnerability, as they can proceed with executing the payload.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to Sophos User930

I see the hottfix installer was released today - Sophos Central Intercept X, Central Server Intercept X Advanced and Sophos Exploit Prevention cumulative hotfix

This quotes the ImagePath under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalertsvc
Cancel
Vote Up 0 Vote Down

Cancel