ActFax Unquoted Service Path Vulnerability in ActiveFax 10.10 Allowing Privilege Escalation

A privilege escalation vulnerability has been identified in ActFax version 10.10. The issue arises from an unquoted service path in the ActiveFaxServiceNT service, which can be exploited by local attackers. Those with write permissions to Program Files directories can inject a malicious ActSrvNT.exe executable. When the service is restarted, this injected executable can be executed, potentially leading to elevated system access.

Impact

Exploitation of this vulnerability could allow local attackers to escalate privileges, gaining elevated system access.

Reproduction

The vulnerability can be reproduced by first confirming the unquoted service path of the ActiveFaxServiceNT service. This can be done using the 'sc qc ActiveFaxServiceNT' command, which reveals the service's binary path. If the user has write privileges to the 'C:\Program Files\ActiveFax' directory or the root 'C:\' drive, they can inject a malicious 'ActSrvNT.exe' file into the service's installation folder. Once the malicious executable is in place, the ActiveFaxServiceNT service can be restarted, triggering the execution of the injected payload and resulting in privilege escalation.