Attack Chain

1. The attacker identifies that the AdvancedSystemCareService13 service is installed and running.
2. The attacker confirms that the service’s binary path is unquoted (e.g., C:\Program Files\IObit\Advanced SystemCare\AdvancedSystemCareService13.exe).
3. The attacker places a malicious executable named “Program.exe” in the C:\ directory.
4. The operating system, when attempting to execute the service, parses “C:\Program” as the executable path due to the missing quotes.
5. The malicious “Program.exe” is executed with LocalSystem privileges.
6. The attacker leverages the LocalSystem privileges to perform actions such as installing malware, modifying system settings, or creating new administrative accounts.
7. The attacker achieves persistence by creating a scheduled task or modifying registry keys to ensure continued access to the compromised system.

Impact

Successful exploitation of this vulnerability allows a local attacker to gain full control of the affected system. This can lead to complete system compromise, data theft, and the installation of persistent backdoors. While the source doesn’t specify the number of affected systems, any system running Advanced System Care Service 13.0.0.157 is potentially vulnerable. The impact is especially critical in environments where Advanced System Care is deployed on sensitive systems.

Recommendation

• Deploy the Sigma rule “Detect Unquoted Service Path Exploitation” to identify potential attempts to exploit this vulnerability by monitoring for process creations from the root directory (C:).
• Audit installed services for unquoted paths using tools like Get-WmiObject win32_service | select Name, PathName in PowerShell and remediate by adding quotes around the service path.
• Monitor file creation in the root directory (C:) for suspicious executables using file integrity monitoring tools.
• Consider upgrading Advanced System Care to a version that addresses the unquoted service path vulnerability, if available.