Attack Chain

1. Attacker gains low-privilege access to the target Windows system.
2. Attacker identifies the vulnerable service, sPSVOpLclSrv, and its unquoted service path.
3. Attacker creates a malicious executable (e.g., payload.exe) designed to elevate privileges.
4. Attacker places the malicious executable in a directory within the unquoted service path (e.g., C:\Program Files\OKI\sPSV Port Manager\payload.exe).
5. Attacker triggers a restart of the sPSVOpLclSrv service or reboots the system.
6. The operating system attempts to execute the service using the unquoted path, inadvertently executing the malicious executable placed by the attacker.
7. The malicious executable runs with LocalSystem privileges, granting the attacker elevated access.
8. The attacker leverages the elevated privileges to perform malicious actions, such as installing backdoors, creating new user accounts, or exfiltrating sensitive data.

Impact

Successful exploitation of this unquoted service path vulnerability (CVE-2020-37229) allows a local attacker to escalate privileges to LocalSystem. This level of access grants the attacker complete control over the compromised system, enabling them to install malware, steal sensitive information, or disrupt critical business operations. The vulnerability affects systems running OKI sPSV Port Manager 1.0.41.

Recommendation

• Apply the necessary patch or upgrade to a version of OKI sPSV Port Manager that addresses CVE-2020-37229.
• Deploy the Sigma rule “Detect Unquoted Service Path Exploitation - OKI sPSV Port Manager” to identify potential exploitation attempts by monitoring process creations related to the vulnerable service.
• Regularly audit service configurations to identify and remediate unquoted service paths, mitigating this class of vulnerabilities.