CVE-2020-37062
📋 TL;DR
CVE-2020-37062 is an unquoted service path vulnerability in DHCP Turbo that allows local attackers to execute arbitrary code with elevated privileges. Attackers can place malicious executables in the service path to gain SYSTEM-level access when the service starts. This affects systems running DHCP Turbo 4.61298 on Windows.
💻 Affected Systems
- DHCP Turbo
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, allowing complete control over the affected system, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation leading to persistence mechanisms, credential harvesting, and installation of additional malware.
If Mitigated
Limited impact if proper access controls prevent local users from writing to service directories and if endpoint protection blocks suspicious executables.
🎯 Exploit Status
Exploit requires local access and ability to write to a directory in the service path. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.weird-solutions.com
Restart Required: Yes
Instructions:
1. Check vendor website for updated version. 2. If available, download and install updated version. 3. Restart the DHCP Turbo service. 4. Verify the service path is properly quoted in Windows Services.
🔧 Temporary Workarounds
Quote Service Path
windowsManually add quotes around the service binary path in Windows Services
sc config "DHCP Turbo" binPath= "\"C:\Program Files\DHCP Turbo\dhcpturbo.exe\""
Restrict Directory Permissions
windowsSet strict permissions on directories in the service path to prevent unauthorized writes
icacls "C:\Program Files\DHCP Turbo" /inheritance:r /grant "SYSTEM:(OI)(CI)F" /grant "Administrators:(OI)(CI)F" /grant "Users:(OI)(CI)RX"
🧯 If You Can't Patch
- Remove write permissions for non-admin users from all directories in the service path hierarchy
- Monitor for suspicious executable creation in service path directories using file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Run: sc qc "DHCP Turbo" and check if the BINARY_PATH_NAME contains spaces without quotesCheck Version:
Check program version in Control Panel > Programs and Features or run the executable with --version flagVerify Fix Applied:
Run: sc qc "DHCP Turbo" and verify BINARY_PATH_NAME is properly quoted with double quotes📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 showing execution of unexpected executables from service path directories
- Unexpected service restarts or failures
Network Indicators:
- Unusual outbound connections from the DHCP server system
- DHCP service interruptions
SIEM Query:
EventID=4688 AND (Image LIKE '%Program Files%DHCP Turbo%' OR Image LIKE '%ProgramFiles(x86)%DHCP Turbo%') AND NOT (Image LIKE '%dhcpturbo.exe%')