CVE-2021-47767
📋 TL;DR
This vulnerability allows local attackers to escalate privileges to SYSTEM level by exploiting an unquoted service path in 10-Strike Network Inventory Explorer Pro. Attackers can place malicious executables in directories that are part of the service's unquoted path, causing the service to execute their code with elevated permissions. Organizations using this specific software version are affected.
💻 Affected Systems
- 10-Strike Network Inventory Explorer Pro
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install persistent malware, steal credentials, disable security controls, and pivot to other systems.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive data, installation of backdoors, or lateral movement within the network.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and service hardening are implemented.
🎯 Exploit Status
Exploitation requires local access to the system. Public exploit code is available on Exploit-DB (ID 50494).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor website for latest version
Vendor Advisory: https://www.10-strike.com/
Restart Required: Yes
Instructions:
1. Visit https://www.10-strike.com/
2. Download latest version of Network Inventory Explorer Pro
3. Install update over existing installation
4. Restart affected systems
🔧 Temporary Workarounds
Quote Service Path
windowsManually modify the service path to include quotes around the executable path
sc config "srvInventoryWebServer" binPath= "\"C:\Program Files\10-Strike Network Inventory Explorer Pro\srvInventoryWebServer.exe\""
Change Service Account
windowsChange service from LocalSystem to a less privileged account
sc config "srvInventoryWebServer" obj= ".\LocalService" password= ""
🧯 If You Can't Patch
- Restrict write permissions to directories in the service path
- Implement application whitelisting to prevent unauthorized executables
🔍 How to Verify
Check if Vulnerable:
Check if srvInventoryWebServer service path is unquoted: sc qc "srvInventoryWebServer" | findstr BINARY_PATH_NAMECheck Version:
Check program version in About dialog or registry: HKEY_LOCAL_MACHINE\SOFTWARE\10-Strike\Network Inventory Explorer ProVerify Fix Applied:
Verify service path is quoted and/or service runs under limited account📡 Detection & Monitoring
Log Indicators:
- Service control manager events for srvInventoryWebServer
- Process creation from unusual paths
- Unauthorized privilege escalation attempts
Network Indicators:
- Unusual outbound connections from service account
SIEM Query:
EventID=4688 AND NewProcessName="*srvInventoryWebServer*" AND SubjectUserName="SYSTEM"