Privacy Drive 3.17.0 Unquoted Service Path Privilege Escalation (CVE-2020-37231)

Cybertron Soft’s Privacy Drive version 3.17.0 is vulnerable to an unquoted service path vulnerability (CVE-2020-37231) affecting the pdsvc.exe service. This flaw allows a local attacker with limited privileges to escalate their privileges to SYSTEM. The vulnerability exists because the service’s executable path contains spaces and lacks proper quoting, which can lead to Windows executing unintended binaries located in the service’s path. An attacker can leverage this by placing a malicious executable in a directory within the unquoted path. When the system or service restarts, the malicious executable is executed with SYSTEM privileges.

Attack Chain

1. The attacker identifies the unquoted service path for the pdsvc.exe service.
2. The attacker determines a directory in the unquoted service path where they can place files.
3. The attacker crafts a malicious executable (e.g., program.exe).
4. The attacker renames the malicious executable to match a portion of the unquoted service path, such as the first word in the full path (e.g., if the path is “C:\Program Files\Privacy Drive\pdsvc.exe”, the attacker might name their executable “Program.exe”).
5. The attacker places the renamed malicious executable in the accessible directory within the unquoted path (e.g., C:\).
6. The attacker triggers a service restart or system reboot.
7. During service startup, Windows attempts to execute the service binary using the unquoted path, but instead executes the malicious executable placed in the earlier steps.
8. The malicious executable runs with SYSTEM privileges, granting the attacker elevated access to the system.

Impact

A successful exploit allows a local attacker to gain complete control over the affected system. The attacker can install programs, view, change, or delete data, or create new accounts with full user rights. This vulnerability poses a significant risk to systems where Privacy Drive 3.17.0 is installed, especially in environments where multiple user accounts exist or where sensitive data is stored.

Recommendation

• Apply the Sigma rule Detect Unquoted Service Path Exploitation to identify potential attempts to exploit unquoted service paths by monitoring process creation events.
• Apply the Sigma rule Detect Privacy Drive Service Execution from Unusual Location to detect if the pdsvc.exe service is executed from an unexpected location, which could indicate exploitation.
• Follow remediation steps provided by Cybertron Soft to properly quote the service path or upgrade to a patched version of Privacy Drive, when available.
• Review service configurations for other unquoted service paths to prevent similar privilege escalation attacks.