Serviio PRO Unquoted Search Path Vulnerability Allowing Local Privilege Escalation

A local privilege escalation vulnerability has been identified in Serviio PRO version 1.8.0.0, as well as in earlier versions 1.7.1, 1.7.0, and 1.6.1. The issue arises from an unquoted search path in the Windows service, which can be exploited by local users to execute arbitrary code with elevated privileges. This exploitation involves placing malicious executables in the system root path, where they can be executed during the application's startup or a system reboot. Additionally, improper directory permissions granting full access to the Users group allow authenticated users to replace the executable file with any binary, further enabling privilege escalation when the service is started or the system is rebooted.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of code with elevated privileges, allowing a local user to gain higher access rights on the system.

Reproduction

The vulnerability can be reproduced by an authenticated local user who has access to the Serviio installation directory. The user can place a malicious executable in the unprotected system root path. Once the executable is in place, the user can restart the Serviio service or reboot the system, at which point the malicious code will be executed with elevated privileges.