memoQ Unquoted Service Path Vulnerability in Auto Update Service Allowing Privilege Escalation

A local privilege escalation vulnerability has been identified in the memoQ Auto Update Service (memoQauhlp101) in memoQ versions 10.1.13.ef1b2b52aae and earlier. The vulnerability arises from an unquoted service path that includes spaces, allowing local users to escalate privileges to SYSTEM by placing a malicious executable in an earlier searched path element, such as C:\Program.exe.

Impact

Exploitation of this vulnerability allows for local privilege escalation to the NT AUTHORITY\SYSTEM account.

Reproduction

To reproduce this vulnerability, place a malicious executable at C:\Program.exe, which requires write access to the C:\ drive. Then, restart the memoQ Auto Update Service or reboot the system. The executable will be executed with SYSTEM privileges.

Remediation

Users are advised to upgrade to the latest version of memoQ, where the service path issue has been addressed. As a temporary fix, the service can be stopped, reconfigured to include quotes around the path, and then restarted. Additionally, ensure that unprivileged users cannot write to early path elements like C:\.