Lavasoft Web Companion Unquoted Service Path Vulnerability in DCIService Component

A privilege escalation vulnerability has been identified in Lavasoft Web Companion (also known as Ad-Aware WebCompanion) versions 8.9.0.1091 through 12.1.3.1037. The vulnerability arises from the DCIService.exe service being installed with an unquoted service path. This flaw allows local attackers with write access to the file system to execute arbitrary code with elevated privileges by placing a malicious executable in the unquoted path.

Impact

Exploitation of this vulnerability allows local users to escalate privileges to the SYSTEM level, with a complete compromise of confidentiality, integrity, and availability.

Reproduction

The vulnerability can be reproduced by first identifying the unquoted service path of the DCIService using the Windows Management Instrumentation Command-line (WMIC) tool. After confirming the unquoted path, the service configuration can be queried to verify it runs with LocalSystem privileges. The next step involves checking the directory permissions of the service executable, which reveals that write access is possible for certain users. Once these conditions are met, a malicious executable named 'Web.exe' or 'Companion.exe' can be created and placed in the 'C:\Program Files (x86)\Lavasoft\' directory. After placing the executable, the service can be restarted, at which point the malicious file will execute with LocalSystem privileges.

Remediation

Users can manually add quotes to the service path using the 'sc config' command. The vendor should also update the service installation to use quoted paths.