Unquoted service path vulnerability in WCAssistantService Lavasoft


Vulnerability: Unquoted service path vulnerability in WCAssistantService Lavasoft

Severity: High

Impact: Any user that has Lavasoft webcompanion installed in their system can elevate his privilege on local system.

Description:

Web Companion blocks websites that try to steal your personal information by impersonating sites you know and trust. It keeps your passwords, payment and other personal information safe from hackers.

Unquoted service path exists for the service "WCAssistantService". This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.

How to check:
C:\>wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
WC Assistant                                                           WCAssistantService                                      C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe         Auto

Initial mail sent 2nd Nov 2017
Mail sent to webcompanion on 2nd Jan 2018 --> No response
Mail sent to webcompanion on 20th Jan 2018 --> No response
Disclosure date 23rd Jan 2018




Comments

  1. Caesars Casino, LLC - DrmCD
    Caesars 인천광역 출장샵 Casino, LLC is in the business of 안동 출장샵 providing 안성 출장샵 gambling and entertainment services to the Greater Phoenix area. Our 파주 출장안마 casino is 익산 출장샵 a Native American gaming

    ReplyDelete

Post a Comment

Popular posts from this blog

MY OSCP REVIEW

Minishare 1.4.1 Bufferoverflow