CVE-2021-47866
📋 TL;DR
WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in GuardTourService that allows local attackers to execute arbitrary code with SYSTEM privileges. This affects systems running WIN-PACK PRO 4.8 where attackers have local access to the machine.
💻 Affected Systems
- WIN-PACK PRO
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with SYSTEM privileges, enabling complete control over the affected system.
Likely Case
Local privilege escalation allowing attackers to gain SYSTEM privileges and install persistent malware or backdoors.
If Mitigated
Limited impact if proper access controls prevent local users from writing to system directories.
🎯 Exploit Status
Exploitation requires local access to the system. Attackers need write permissions to the system directory or ability to create malicious executables in the path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for patched version
Vendor Advisory: https://www.security.honeywell.com/product-repository/winpak
Restart Required: Yes
Instructions:
1. Check Honeywell security advisory for patched version. 2. Download and install the latest version from official vendor sources. 3. Restart the system to apply changes.
🔧 Temporary Workarounds
Quote Service Path
windowsModify the service path to include quotes around the executable path
sc config GuardTourService binPath= "C:\Program Files (x86)\WINPAKPRO\WP GuardTour Service.exe"
Restrict Directory Permissions
windowsRemove write permissions for non-administrative users on the WINPAKPRO directory
icacls "C:\Program Files (x86)\WINPAKPRO" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to prevent local users from writing to system directories.
- Monitor for unauthorized service modifications and suspicious executable creation in system paths.
🔍 How to Verify
Check if Vulnerable:
Check if GuardTourService path is unquoted: sc qc GuardTourService | findstr BINARY_PATH_NAMECheck Version:
Check WIN-PACK PRO version in Control Panel > Programs and Features or via vendor documentationVerify Fix Applied:
Verify service path is quoted: sc qc GuardTourService should show quotes around the executable path📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service path modifications
- Security logs showing unauthorized file creation in system directories
Network Indicators:
- Unusual outbound connections from GuardTourService process
SIEM Query:
EventID=7045 OR (ProcessCreation AND (ImagePath="*WINPAKPRO*" OR ParentImage="*WINPAKPRO*"))