Hasleo Backup Suite Unquoted Search Path Vulnerability in Windows Services

A local privilege escalation vulnerability has been identified in Hasleo Backup Suite versions through 5.2. The issue arises from the Windows services HasleoBackupSuiteService and HasleoImageMountService, both of which are registered with unquoted ImagePaths that include spaces. This misconfiguration allows the Windows service loader to interpret the path incorrectly, potentially leading to the execution of malicious binaries placed in earlier path tokens. If an attacker can write to a token that is executed with the service's privileges, this could result in a full system compromise.

Impact

Exploitation of this vulnerability allows an unprivileged local user to execute arbitrary code with LocalSystem privileges, leading to a complete system compromise.

Reproduction

The vulnerability can be reproduced by first checking the service configuration with the 'sc qc' command. The unquoted ImagePath can be observed in the service details. Once confirmed, an executable can be placed in a writable early path token. When the service is started or restarted, the malicious executable will be executed under the LocalSystem account.

Remediation

Users are advised to upgrade to a version of Hasleo Backup Suite that is through 5.2. The upgrade is available on the EasyUEFI website.