CVE-2020-37063
📋 TL;DR
CVE-2020-37063 is an unquoted service path vulnerability in TFTP Turbo that allows local attackers to execute arbitrary code with elevated SYSTEM privileges. Attackers can place malicious executables in paths containing spaces that get executed when the service starts. This affects systems running TFTP Turbo 4.6.1273 with local access.
💻 Affected Systems
- TFTP Turbo
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary code execution with LocalSystem privileges, enabling persistence, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation allowing attackers to gain SYSTEM privileges and install malware, backdoors, or ransomware.
If Mitigated
Limited impact if proper access controls prevent local users from writing to vulnerable directories.
🎯 Exploit Status
Exploit requires local access to create files in directories with spaces before the legitimate executable path. Public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.1274 or later
Vendor Advisory: https://www.weird-solutions.com
Restart Required: Yes
Instructions:
1. Download latest version from vendor website. 2. Uninstall vulnerable version. 3. Install updated version. 4. Restart system to ensure service uses updated configuration.
🔧 Temporary Workarounds
Quote Service Path
windowsManually add quotes around the service executable path in Windows Registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\TFTPServer" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\TFTP Turbo\tftpserver.exe\"" /f
Restrict Directory Permissions
windowsRemove write permissions for non-administrative users on directories in the service path
icacls "C:\Program Files\TFTP Turbo" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Remove TFTP Turbo service if not required for business operations
- Implement strict access controls to prevent local users from writing to directories in the service path
🔍 How to Verify
Check if Vulnerable:
Check registry: reg query "HKLM\SYSTEM\CurrentControlSet\Services\TFTPServer" /v ImagePath. If path contains spaces and is not quoted, system is vulnerable.Check Version:
Check program version in Control Panel > Programs and Features or run: wmic product where name="TFTP Turbo" get versionVerify Fix Applied:
Verify registry path is quoted and check TFTP Turbo version is 4.6.1274 or higher.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unexpected processes running as SYSTEM from unusual locations
- Process creation events for executables in directories with spaces before legitimate TFTP Turbo path
Network Indicators:
- Unusual outbound connections from SYSTEM-level processes
- TFTP service running from unexpected locations
SIEM Query:
EventID=4688 AND NewProcessName="* *\*.exe" AND SubjectUserName="SYSTEM" AND ParentProcessName="services.exe"