Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 16 subscribers
  • Views 7318 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unquoted Path Vulnerability - please fix ASAP

lukg

C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe /service -  this service has an unquoted path.

Please fix it ASAP.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lukg

    The HMPA component's installer was recently updated.  I can only think this was introduced at that point as it wasn't always an issue as QC mentions.  The EDR product even has a query for this named "Unquoted paths in the service registry keys":

    Description:

    Lists unquoted paths in the service registry keys. Unquoted paths allow an adversary to place an application in a higher-level directory so that Windows finds that application instead of the intended one. (MITRE category T1034)

    Created by Sophos


    SELECT
    r.path,
    r.data
    FROM registry r
    WHERE
    r.path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%\ImagePath'
    -- Check for data that looks like a path, does not start with a quote and contains a space
    -- Note: If the data has a parameter with a . in it will be incorrectly matched
    AND r.data like '%:\%'
    AND r.data not like '"%'
    AND rtrim(r.data, replace(r.data, '.', '')) LIKE '% %'

    I assume it will be fixed at the first opportunity.

  • 0 in reply to Sophos User930

    I see the hottfix installer was released today - Sophos Central Intercept X, Central Server Intercept X Advanced and Sophos Exploit Prevention cumulative hotfix 

    This quotes the ImagePath under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalertsvc

Unfiltered HTML