Muse Group MuseHub Unquoted Search Path Vulnerability in Updater Service Allowing Local Privilege Escalation

A vulnerability exists in Muse Group MuseHub version 2.1.0.1567 within the Windows Service component. The issue arises from an unquoted executable path in the Muse.Updater.exe file, located in the WindowsApps directory. This flaw creates an unquoted search path vulnerability, allowing local users with low privileges to execute arbitrary binaries under the service account when the service is started. The vulnerability exploitation is considered difficult, requiring local access and the ability to manipulate the service's execution path.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution under the service account, potentially allowing a local user to escalate privileges, especially if the service runs as SYSTEM or another high-privileged account.

Reproduction

To reproduce this vulnerability, a local user must write an executable into the 'C:\Program' directory, which is writable. Once the executable is placed there, the user can start or restart the MuseHub Updater Service. The service will execute the placed binary, taking advantage of the unquoted search path.