OKI sPSV Port Manager Unquoted Service Path Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in OKI sPSV Port Manager version 1.0.41. The issue arises from an unquoted service path in the sPSVOpLclSrv service, allowing local attackers to escalate privileges. Exploitation involves inserting executable files into the unquoted path, which will execute with LocalSystem privileges when the service restarts or the system reboots.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, with executed payloads running under the LocalSystem account, which has extensive rights on the system.

Reproduction

The vulnerability can be reproduced by first confirming the unquoted service path using the Windows Management Instrumentation Command-line (WMIC) tool. After identifying the service path, an executable file can be placed into a directory within that path. Once the file is in place, restarting the service or the system will trigger the execution of the malicious executable with elevated privileges.