Attack Chain

1. Attacker gains initial local access to the system with a low-privilege account.
2. The attacker identifies the unquoted service path for VX Search Server or VX Search Enterprise (e.g., C:\Program Files\VX Search).
3. The attacker creates a malicious executable (e.g., C:\Program.exe).
4. The attacker places the malicious executable in the first directory in the unquoted service path (e.g., C:\Program Files\VX Search\VXSearchService.exe).
5. The attacker restarts the VX Search service, either directly or by rebooting the system.
6. The operating system attempts to execute the service, but due to the unquoted path, it first executes the malicious executable (C:\Program.exe) with LocalSystem privileges.
7. The malicious executable performs its intended actions, such as creating new administrator accounts or installing malware.
8. The attacker now has elevated privileges and can perform arbitrary actions on the system.

Impact

Successful exploitation of this vulnerability allows a local attacker to gain complete control of the affected system, due to arbitrary code execution as SYSTEM. This can lead to data theft, system compromise, and potentially lateral movement within the network. Given the nature of VX Search, which is used for file indexing and searching, successful exploitation could also compromise sensitive data stored on the system or network.

Recommendation

• Enclose the service path in double quotes to prevent the operating system from misinterpreting the path (reference CVE-2021-47974).
• Monitor process creation events for executables running from unusual paths, especially those matching the prefix of “C:\Program Files" using the Sigma rule Detect Unquoted Service Path Exploitation.
• Implement access controls to restrict who can write to directories in the service path.
• Regularly review and audit service configurations for unquoted paths.
• Consider using application control solutions to prevent unauthorized executables from running.