CVE-2021-47874: Silent Service Misconfiguration Leading to SYSTEM-Level Privilege Escalation in VFS for Git

Aegiron 8 mins0

Vulnerability Overview

CVE ID: CVE-2021-47874
Product: VFS for Git (formerly GVFS)
Affected Component: GVFS.Service Windows service
Vulnerability Type: Unquoted Service Path
Impact: Local Privilege Escalation
Attack Vector: Local
Privileges Required: Low
User Interaction: None

CVSS v3.1 Base Score: 7.8 (High)
CVSS v4.0 Base Score: 8.5 (High)

Executive Summary

A local privilege escalation vulnerability was identified in VFS for Git due to an unquoted service path configuration in the GVFS.Service Windows service.
When installed on Windows systems, the service binary path was configured without quotation marks, despite containing spaces. As a result, Windows may incorrectly resolve and execute a malicious binary placed in a higher-level directory. Since the service runs under the LocalSystem account, successful exploitation results in full SYSTEM-level privileges.

This issue is particularly dangerous in multi-user systems, developer workstations, CI/CD build servers, or any environment where local users have file write access to parent directories.

Technical Details

Root Cause

The GVFS.Service was registered with an unquoted ImagePath, similar to:

C:\Program Files\GVFS\GVFS.Service.exe

On Windows, service paths that include spaces must be enclosed in quotes. If they are not, the operating system attempts to interpret the executable path sequentially, stopping at each space.

This causes Windows to search for executables in the following order:

  1. C:\Program.exe
  2. C:\Program Files\GVFS.exe
  3. C:\Program Files\GVFS\GVFS.Service.exe (intended)

If a malicious executable exists in any earlier location, it may be executed instead of the legitimate service binary.

Exploitation Scenario (Educational)

The following describes how exploitation could occur in a controlled or defensive testing environment:

  1. A local user account (non-administrator) is present on the system.
  2. Write permissions exist on a directory such as C:\ or another parent directory in the service path.
  3. A malicious executable named Program.exe (or similar) is placed in that writable directory.
  4. The GVFS.Service is restarted, or the system is rebooted.
  5. Windows executes the attacker-controlled binary instead of the legitimate service executable.
  6. The malicious binary runs with SYSTEM privileges, fully compromising the host.

No memory corruption or exploit chaining is required. This vulnerability relies entirely on Windows path resolution behavior.

Exploit / PoC Availability

A public proof-of-concept demonstrating this behavior has been published and confirmed to work against affected versions of VFS for Git.

MITRE Mapping

MITRE ATT&CK Technique:

  • T1574.009 – Path Interception by Unquoted Path

CWE Classification:

  • CWE-428 – Unquoted Search Path or Element

Detection Strategy

What Should Be Detected

Detection should focus on:

  • Unquoted service paths containing spaces
  • Unexpected executable creation in parent directories
  • Services spawning processes from unusual locations
  • Service-started processes running from root or top-level paths

Log Sources to Monitor

The following telemetry sources should be enabled and monitored:

  • Windows Security Event Logs
  • Windows System Event Logs
  • Sysmon (highly recommended)
  • Endpoint Detection & Response (EDR) telemetry
  • Registry auditing
  • File integrity monitoring

Key Indicators of Exploitation

  • New executable files appearing in C:\ or similar directories
  • Processes launched as SYSTEM from unexpected paths
  • Service restarts followed by abnormal process execution
  • Registry entries showing unquoted service ImagePath values

Detection Rules

1. Detect Unquoted Service Paths (Registry)

index=windows sourcetype=WinRegistry
| where like(RegistryPath, "%CurrentControlSet\\Services%")
| eval ImagePath=RegistryValueData
| where match(ImagePath, "\s") AND NOT match(ImagePath, "^\".*\"$")
| table _time host RegistryPath ImagePath

Purpose:
Identifies Windows services configured with unquoted executable paths containing spaces.

2. Detect Suspicious Executables in Root Directory

index=windows sourcetype=WinEventLog:Security EventCode=4688
| where like(NewProcessName, "C:\\%.exe")
| table _time host User NewProcessName ParentProcessName

Purpose:
Flags executables launched directly from the system root, which is uncommon for legitimate services.

3. Detect Service-Launched Processes from Unexpected Paths

index=windows sourcetype=WinEventLog:System EventCode=7045
| table _time host ServiceName ImagePath ServiceAccount

Followed by:

index=windows sourcetype=WinEventLog:Security EventCode=4688
| where ParentProcessName="services.exe"
| where NOT like(NewProcessName, "%Program Files%")
| table _time host NewProcessName ParentProcessName

Purpose:
Detects services spawning binaries outside standard installation directories.

4. File Creation + Execution Correlation

index=windows (EventCode=11 OR EventCode=4688)
| transaction host maxspan=2m
| search TargetFilename="C:\\*.exe" AND EventCode=4688

Purpose:
Correlates newly created executables with near-immediate execution, a common exploitation pattern.

Mitigation and Remediation

Official Patch / Upgrade (Recommended)

The vulnerability has been addressed in newer releases of VFS for Git.

Official upgrade source:
https://github.com/microsoft/VFSForGit/releases

Only installers obtained from the official project release page should be used.

Temporary Mitigation (If Upgrade Is Delayed)

  • Ensure all service ImagePath values are enclosed in quotation marks.
  • Restrict write permissions on:
    • C:\
    • C:\Program Files
    • C:\Program Files (x86)
  • Enforce application control policies (AppLocker or WDAC).
  • Monitor and alert on executable creation in privileged directories.

Risk Assessment Summary

FactorRisk
Ease of ExploitationHigh
Privilege EscalationSYSTEM
Attack ComplexityLow
Detection DifficultyMedium
Business ImpactHigh

Final Takeaway

This vulnerability represents a classic Windows misconfiguration issue that remains highly effective even today. While technically simple, its impact is severe due to the privilege level involved. Detection and prevention should not be limited to VFS for Git alone; all Windows services across the environment should be audited for similar misconfigurations.

Proactive service path auditing, combined with endpoint behavioral monitoring, significantly reduces exposure to this class of attacks.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.