Active Webcam 115 Unquoted Service Path Patched

Active Webcam 11.5 (developed by PY Software) contains a high-risk security vulnerability known as an Unquoted Service Path This flaw is officially tracked as CVE-2021-47790 and was first publicly documented in September 2021 Exploit-DB Vulnerability Overview: CVE-2021-47790

By using the standard Windows sc command, any user can query the configuration of a service. Running sc qc ACTIVEWEBCAM on a vulnerable system yields the following output, which shows the root cause of the issue:

Because the default installation directory is usually C:\Program Files (x86)\Active Webcam\ , the path inherently contains spaces. Without proper quotation marks in the Windows Registry entry, the application left systems vulnerable to local privilege escalation (LPE). How the Vulnerability is Exploited

where the path splits. Step 1: Checking Directory Permissions active webcam 115 unquoted service path patched

The vendor has resolved the issue by properly quoting the service binary path:

If you do not require the Active WebCam service to run automatically with the system, you can configure the software to start only when a user logs in. This does not fix the unquoted path, but it removes the privilege‑escalation avenue because the service will no longer run as LocalSystem.

This command filters for services that start automatically, excludes standard Windows directory services, and looks for paths missing quotation marks. 2. Checking Directory Permissions Active Webcam 11

The correct, patched registry path string should look like this: "C:\Program Files (x86)\Active Webcam\WebcamService.exe" Method 1: Manual Registry Modification

Windows might look for a program named C:\Program.exe or C:\Program Files\Active.exe before reaching the actual webcam executable.

C:\Program Files\Active.exe (with Webcam\WebcamService.exe as an argument) C:\Program Files\Active Webcam\WebcamService.exe The Security Risk How the Vulnerability is Exploited where the path splits

In the world of cybersecurity, vulnerabilities often hide in the most mundane places. One such common, yet dangerous, misconfiguration is the . Users of the "Active Webcam 115" software—a popular tool for surveillance and video broadcasting—need to be aware of a security flaw that allows for potential system hijacking.

If an attacker has the ability to drop a malicious binary in an earlier folder (e.g., C:\Program.exe ) and the service is set to start automatically with SYSTEM privileges, the malicious binary will be executed in place of the legitimate service. This leads to privilege escalation, allowing the attacker to run arbitrary code at the highest system level.

If the command returns a path without quotes, the system is still vulnerable. If it returns nothing, the path is either quoted correctly or the service is not present. Conclusion