{"id":22081,"date":"2022-03-23T20:18:28","date_gmt":"2022-03-23T16:18:28","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166412\/protonvpn1260-unquotedpath.txt"},"modified":"2022-03-28T09:53:02","modified_gmt":"2022-03-28T05:23:02","slug":"protonvpn-1-26-0-unquoted-service-path","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/protonvpn-1-26-0-unquoted-service-path\/","title":{"rendered":"ProtonVPN 1.26.0 Unquoted Service Path"},"content":{"rendered":"<p dir=\"ltr\"># Exploit Title: ProtonVPN 1.26.0 &#8211; Unquoted Service Path<br \/>\n# Date: 22\/03\/2022<br \/>\n# Exploit Author: gemreda (@gemredax)<br \/>\n# Vendor Homepage: https:\/\/protonvpn.com\/<br \/>\n# Software Link: https:\/\/protonvpn.com\/<br \/>\n# Version: 1.26.0<br \/>\n# Tested: Windows 10 x64<br \/>\n# Contact: gemredax@pm.me<\/p>\n<p dir=\"ltr\">PS C:\\Users\\Emre&gt; sc.exe qc &#8220;ProtonVPN Wireguard&#8221;<br \/>\n[SC] QueryServiceConfig SUCCESS<\/p>\n<p dir=\"ltr\">SERVICE_NAME: ProtonVPN Wireguard<br \/>\nTYPE : 10 WIN32_OWN_PROCESS<br \/>\nSTART_TYPE : 3 DEMAND_START<br \/>\nERROR_CONTROL : 1 NORMAL<br \/>\nBINARY_PATH_NAME : C:\\Program Files (x86)\\Proton Technologies\\ProtonVPN\\ProtonVPN.WireGuardService.exe C:\\ProgramData\\ProtonVPN\\WireGuard\\ProtonVPN.conf<br \/>\nLOAD_ORDER_GROUP :<br \/>\nTAG : 0<br \/>\nDISPLAY_NAME : ProtonVPN WireGuard<br \/>\nDEPENDENCIES : Nsi<br \/>\n: TcpIp<br \/>\nSERVICE_START_NAME : LocalSystem<\/p>\n<p dir=\"ltr\">#Exploit:<\/p>\n<p dir=\"ltr\">The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.<br \/>\nIf a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as &#8220;C:\\Program.exe&#8221; to be run by a privileged program making use of WinExec.<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: ProtonVPN 1.26.0 &#8211; Unquoted Service Path # Date: 22\/03\/2022 # Exploit Author: gemreda (@gemredax) # Vendor Homepage: https:\/\/protonvpn.com\/ # Software Link: https:\/\/protonvpn.com\/ # Version: 1.26.0 # Tested: Windows 10 x64 # Contact: gemredax@pm.me PS C:\\Users\\Emre&gt; sc.exe qc &#8220;ProtonVPN Wireguard&#8221; [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ProtonVPN Wireguard TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-22081","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/22081","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=22081"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/22081\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=22081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=22081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=22081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}