Tosibox Key Service Unquoted Service Path Vulnerability Allowing Local Privilege Escalation
Vulnerability
A local privilege escalation vulnerability has been identified in Tosibox Key Service version 3.3.0. This issue arises from an unquoted service path, which can be exploited by local, non-privileged users to execute arbitrary code with elevated privileges. The vulnerability takes advantage of the service startup process by inserting malicious code into the system root path. If successful, the injected code could be executed during application startup or system reboot, running with the application's elevated rights.
Impact
Exploitation of this vulnerability could lead to unauthorized code execution with elevated system privileges.
Reproduction
The vulnerability can be reproduced by inserting malicious code into the system root path, which is not detected by the operating system or security applications. This code can then be executed during the startup of the Tosibox Key Service application or during a system reboot.
Remediation
Users can upgrade to Tosibox Key Service version 3.3.1, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.