Netgate AMITI Antivirus Unquoted Service Path Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in Netgate AMITI Antivirus build 23.0.305. The issue arises from an unquoted service path in the AmitiAvSrv and AmitiAntivirusHealth services, allowing local attackers to escalate privileges. By placing a malicious executable in the unquoted service path and triggering a service restart or system reboot, attackers can execute code with LocalSystem privileges.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, with executed code running under the LocalSystem account, which has extensive rights on the system.

Reproduction

The vulnerability can be reproduced by placing a malicious executable in the unquoted service path of the AmitiAvSrv or AmitiAntivirusHealth services. After the executable is placed, either the service can be restarted or the system can be rebooted, which will trigger the execution of the malicious code with elevated privileges.