Skip to content
Threat Feed
high threat

Kite Unquoted Service Path Vulnerability (CVE-2020-37247)

Kite 4.2.0.1 U1 contains an unquoted service path vulnerability (CVE-2020-37247) in the KiteService Windows service that allows local attackers to escalate privileges by placing a malicious executable in a directory due to the unquoted service path.

Kite 4.2.0.1 U1 suffers from an unquoted service path vulnerability within its KiteService Windows service. This weakness allows a local attacker with low privileges to escalate their privileges to LocalSystem. By exploiting the unquoted service path, an attacker can insert a malicious executable into a directory that is part of the service’s execution path. When the KiteService service starts, it will inadvertently execute the attacker-controlled binary with elevated privileges, granting the attacker full control over the system. This vulnerability has been assigned CVE-2020-37247.

Attack Chain

  1. Attacker gains low-privilege access to the target Windows system.
  2. Attacker identifies the vulnerable KiteService service with an unquoted path.
  3. Attacker analyzes the service path to identify directories where they can write files.
  4. Attacker crafts a malicious executable, named to match an expected part of the unquoted path (e.g., “Program.exe” if the path is “C:\Program Files\Kite\Program Files\KiteService.exe”).
  5. Attacker places the malicious executable in a directory within the service’s path (e.g., C:\Program Files\Kite).
  6. Attacker triggers a restart of the KiteService service (e.g., by rebooting the machine or stopping/starting the service).
  7. Windows attempts to execute the KiteService service. Due to the unquoted path, it first executes the attacker’s malicious executable with LocalSystem privileges.
  8. The attacker’s executable performs privileged actions, effectively escalating the attacker’s privileges.

Impact

Successful exploitation of this unquoted service path vulnerability allows a local attacker to escalate their privileges to LocalSystem. This grants the attacker complete control over the compromised system, allowing them to install software, modify data, and create new accounts with full administrative rights. The CVE has a CVSS v3.1 score of 7.8, indicating a high severity.

Recommendation

  • Deploy the Sigma rule Detect Unquoted Service Path Exploitation to your SIEM and tune for your environment to identify potential exploitation attempts.
  • Apply the official patch from Kite (if available) to remediate the unquoted service path vulnerability described in CVE-2020-37247.
  • Monitor process creation events for the execution of unexpected executables from directories within the unquoted service path, as described in the attack chain.
  • Implement application control policies to restrict the execution of unauthorized executables within directories commonly affected by unquoted service path vulnerabilities (e.g., C:\Program Files, C:\Program Files (x86)).
  • Use the Get-Service PowerShell cmdlet to identify services with unquoted paths in your environment.

Detection coverage 2

Detect Unquoted Service Path Exploitation

high

Detects exploitation attempts of unquoted service path vulnerabilities by monitoring process creation events from common program directories.

sigma tactics: defense_evasion, privilege_escalation techniques: T1068 sources: process_creation, windows

Detect Service Start via Services.exe with Suspicious CommandLine

medium

Detects service starts via services.exe with command lines containing suspicious patterns often abused in unquoted service path exploits.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →