Windows Service contain spaces and are not encapsulated within quotes:

[sercanacar]

The following services contain spaces and are not encapsulated within quotes:

OssecSvc (C:\Program Files (x86)\ossec-agent\ossec-agent.exe)

A local attacker with low privileged access may be able to escalate to a high privileged role if successfully exploited.

[jrossi]

I did not think this was exploitable. But I can see it. @awiddersheim do you have time to look at this?

@ossec think a fix to this should get pulled to stable before release.

[mstarks01]

This is a valid issue and will be labelled high risk with some security scanners. Lots of apps, including those like McAfee, have had this issue flagged. I don't necessarily agree that it is a high risk given that non-administrators usually don't have logon local rights, but it is what it is. The fix is easy.

[awiddersheim]

I will try and fix tomorrow morning.

[jrossi]

Thank you. I am not able to get online till Sunday maybe not Monday. Let me know if you cannot and I will go to Starbucks and patch

[awiddersheim]

This seems to have already been fixed and I think @sercanacar might be looking at an older version. I found the fixing commit below which fixes the same thing @sercanacar reported:

d824ee3

I installed v2.7.1 and I don't see any issues.

The actual service installation and how it installs now does add quotes around the string here:

https://github.com/ossec/ossec-hids/blob/master/src/win32/win_agent.c#L106

This is before the InstallService() function gets called (if ever depending on user input). @sercanacar What version of OSSEC are you running? @jrossi Can you provide a link to the latest beta version for him to try there to see if it is still an issue?

[awiddersheim]

@sercanacar You should be able to download the v2.8 beta-1 from here:

http://www.ossec.net/?page_id=19

This should fix the issue. Please report back if not.

[mstarks01]

FYI, the Nessus plugin ID which flags this as a high risk finding is 63155. From the report:

Synopsis: The remote Windows host has at least one service installed that uses
an unquoted service path.

Description
The remote Windows host has at least one service installed that uses
an unquoted service path, which contains at least one whitespace. A
local attacker could gain elevated privileges by inserting an
executable file in the path of the affected service.
Note that this is a generic test that will flag any application
affected by the described vulnerability.

Solution
Ensure that any services that contain a space in the path enclose the
path in quotes.

See Also
http://isc.sans.edu/diary.html?storyid=14464
http://cwe.mitre.org/data/definitions/428.html
http://www.commonexploits.com/?p=658
http://www.nessus.org/u?4aa6acbc

Risk Factor: High

CVSS Base Score
7.2 (CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score
6.5 (CVSS2#E:POC/RL:U/RC:ND)

Plugin Output
Nessus found the following service with an untrusted path:
OssecSvc : C:\Program Files (x86)\ossec-agent\ossec-agent.exe

CVE
CVE-2013-1609
CVE-2014-0759

BID
58591
58617
65873

Xref
OSVDB:91492
OSVDB:91582
OSVDB:102505
ICSA:14-058-01

Vulnerability Publication Date: 2012/09/15

Plugin Publication Date: 2012/12/05

Plugin Last Modification Date: 2014/03/19

Public Exploit Available: True

Exploitable With: Metasploit (Windows Service Trusted Path Privilege Escalation)