CVE-2021-47867: SYSTEM Privilege Escalation via Unquoted Service Path in WIN-PAK PRO ScheduleService

Aegiron 8 mins0
  • CVE ID: CVE-2021-47867
  • Product: WIN-PAK® PRO
  • Affected Version: 4.8
  • Component: ScheduleService (Windows Service)
  • Vulnerability Type: Unquoted Service Path
  • CWE: CWE-428 – Unquoted Search Path or Element
  • Attack Class: Local Privilege Escalation
  • CVSS v3.1 Score: 7.8 (High)
  • Severity: High
  • Attack Vector: Local
  • Privileges Required: Low
  • User Interaction: None
  • Exploit Availability: Public proof-of-concepts exist (educational / testing use only)

Description of the Vulnerability

An unquoted service path vulnerability exists in the ScheduleService component of WIN-PAK PRO version 4.8.
The Windows service is configured with an executable path that contains spaces and is not enclosed in quotation marks.

When Windows attempts to start a service whose executable path is unquoted, it resolves the path sequentially, stopping at each space. If a malicious executable is placed in one of the earlier resolved locations, Windows may execute that malicious file instead of the legitimate service binary.

Because the affected service runs with SYSTEM-level privileges, successful exploitation results in full administrative control of the host.

This vulnerability is caused by insecure service configuration rather than a software logic flaw, making exploitation reliable wherever the required conditions are met.

Example of the Misconfiguration

Configured service path:

C:\Program Files (x86)\WINPAKPRO\ScheduleService Service.exe

Windows may attempt execution in the following order:

C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\WINPAKPRO\ScheduleService Service.exe

If a malicious executable named Program.exe exists in C:\, it may be executed as SYSTEM.

Impact

If exploited, the following outcomes are possible:

  • Full SYSTEM-level privilege escalation
  • Installation of persistent backdoors
  • Creation of unauthorized administrator accounts
  • Credential dumping and lateral movement
  • Tampering with access-control systems managed by WIN-PAK
  • Complete compromise of the affected host

The vulnerability does not allow remote exploitation by itself; however, it significantly increases risk once local access is obtained.

Exploitation Details (Educational Use Only)

Public proof-of-concept techniques exist that demonstrate how unquoted service paths can be abused. These techniques are widely documented in security research and penetration-testing tools and are included here only to support detection and remediation efforts.

High-Level Exploitation Flow

  1. Local service configurations are enumerated to identify unquoted executable paths.
  2. File system permissions are checked to determine writable parent directories.
  3. A benign or malicious executable is placed in an earlier-resolved path (e.g., C:\Program.exe).
  4. The vulnerable service is restarted or triggered during system boot.
  5. The malicious executable runs with the service’s privilege level (SYSTEM).

No exploitation of memory corruption or bypass of kernel protections is required.

MITRE ATT&CK Mapping

  • Tactic: Privilege Escalation
  • Technique: T1574.009 – Hijack Execution Flow: Unquoted Path
  • Related Technique: T1068 – Exploitation for Privilege Escalation

Detection Strategy

Detection should focus on behavioral indicators, service configuration auditing, and process lineage monitoring.

Recommended Log Sources

  • Windows Security Event Logs
  • Windows System Logs (Service Control Manager)
  • Sysmon (Process Creation events)
  • Endpoint Detection and Response (EDR) telemetry
  • File integrity monitoring (FIM)

Indicators of Suspicious Activity

  • Execution of binaries from unusual locations such as:
    • C:\Program.exe
    • C:\*.exe
  • services.exe spawning unexpected child processes
  • SYSTEM-level processes executing non-standard binaries
  • Creation of executables in root directories shortly before service restarts
  • New administrative users created near service start times

Tailored Splunk Detection Rules

1. Detect Suspicious Service-Spawned Executables

index=wineventlog EventCode=4688
| where Parent_Process_Name="C:\\Windows\\System32\\services.exe"
| where Process_Name="C:\\Program.exe" OR match(Process_Name,"^C:\\[^\\\\]+\\.exe$")
| table _time, ComputerName, User, Parent_Process_Name, Process_Name, CommandLine

2. Detect New Executables Created in Root Directory

index=wineventlog EventCode=4663
| where Object_Name="C:\\Program.exe"
| table _time, ComputerName, User, Object_Name, Accesses

3. Detect Service Start Followed by Unusual Process Execution

index=wineventlog (EventCode=7045 OR EventCode=7036)
| transaction ComputerName maxspan=2m
| search Process_Name="C:\\Program.exe"

4. Configuration Audit – Unquoted Service Paths

index=wineventlog
| where ImagePath LIKE "% %"
| where NOT ImagePath LIKE "\"%\""
| table ComputerName, ServiceName, ImagePath

Recommended Remediation

Immediate Actions

  • The service executable path must be enclosed in quotation marks.
  • File system permissions on root and parent directories must be reviewed and restricted.
  • The affected service should be restarted only after validation.

Long-Term Mitigation

  • Regular audits of Windows service configurations
  • Deployment of EDR with process ancestry visibility
  • Application control or allow-listing for SYSTEM processes
  • Centralized detection of unquoted service paths across endpoints

Official Patch / Upgrade Information (Vendor Only)

The vulnerability is addressed through vendor guidance and updates provided by Honeywell.

Official vendor product and update portal:
https://buildings.honeywell.com/us/en/products/by-category/access-control/win-pak

For remediation confirmation, customers are advised to contact Honeywell support directly or apply vendor-provided updates that correct service path configuration.

Risk Assessment Summary

This vulnerability presents a high risk in environments where:

  • Local users or services have write access to system paths
  • WIN-PAK PRO is installed on shared or multi-user systems
  • EDR or process monitoring is limited

Because exploitation is simple and reliable once access is obtained, remediation should be prioritized.

Final Note

All exploitation details described above are included solely for defensive, detection, and educational purposes.
Unauthorized exploitation of this vulnerability is illegal and unethical.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.