CVE-2019-20362
📋 TL;DR
This vulnerability allows local attackers to escalate privileges by exploiting an unquoted service path in Teradici PCoIP software. When the service starts, Windows may execute a malicious executable placed in a specific directory instead of the intended service file. Affects users running vulnerable versions of PCoIP Agent or Client on Windows systems.
💻 Affected Systems
- Teradici PCoIP Agent
- Teradici PCoIP Client
📦 What is this software?
Pcoip Client by Teradici
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM-level privileges, enabling complete system compromise, data theft, and persistence.
Likely Case
Local user with write access to affected directories escalates to higher privileges, potentially installing malware or accessing sensitive data.
If Mitigated
With proper access controls and monitoring, impact limited to specific systems; attacker needs local access and write permissions.
🎯 Exploit Status
Exploitation requires local access and ability to place malicious executable in vulnerable path; unquoted service path vulnerabilities are well-known attack vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Agent 19.08.1 or later, Client 19.08.3 or later
Vendor Advisory: https://help.teradici.com/s/article/unquoted-service-path-vulnerability-windows-agent-client-19-08-earlier
Restart Required: Yes
Instructions:
1. Download latest version from Teradici website. 2. Install update. 3. Restart system to ensure service uses patched version.
🔧 Temporary Workarounds
Add quotes to service path
windowsManually edit service configuration to add quotes around the executable path in Windows Registry.
sc config "PCoIP_vchan_printing_svc" binPath= "\"C:\Program Files (x86)\Teradici\PCoIP\pcoip_vchan_printing_svc.exe\""
Restrict directory permissions
windowsSet strict ACLs on Teradici directories to prevent unauthorized users from writing malicious executables.
icacls "C:\Program Files (x86)\Teradici" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls on Teradici directories to prevent unauthorized writes.
- Monitor for suspicious executable creation in Teradici paths using file integrity monitoring.
🔍 How to Verify
Check if Vulnerable:
Check service configuration: sc qc "PCoIP_vchan_printing_svc" and look for unquoted path containing spaces.Check Version:
Check installed version in Control Panel > Programs and Features or run: wmic product where name="Teradici PCoIP Agent" get versionVerify Fix Applied:
Verify service path is quoted: sc qc "PCoIP_vchan_printing_svc" should show quoted executable path.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Service Control Manager events (7036) showing service start failures
- Security logs: Unauthorized file creation in Teradici directories
Network Indicators:
- No network indicators - local privilege escalation only
SIEM Query:
EventID=7036 AND ServiceName="PCoIP_vchan_printing_svc" AND (Message contains "failed" OR Message contains "error")