CVE-2021-47882
📋 TL;DR
FreeLAN 2.2 on Windows contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with LocalSystem privileges. Attackers can place malicious executables in the service path to be executed during service startup. This affects Windows systems running FreeLAN 2.2 with default service configuration.
💻 Affected Systems
- FreeLAN
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM-level privileges on the Windows host, enabling complete system compromise, persistence, and lateral movement.
Likely Case
Local authenticated user escalates privileges to SYSTEM, allowing installation of malware, credential theft, and further network access.
If Mitigated
Attack limited to authenticated local users; proper service hardening prevents exploitation.
🎯 Exploit Status
Exploit requires local access and ability to write to directories in the service path. Public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/freelan-developers/freelan
Restart Required: Yes
Instructions:
1. Manually edit the FreeLAN service configuration to quote the binary path. 2. Remove any unauthorized executables from service path directories. 3. Restart the service.
🔧 Temporary Workarounds
Quote Service Path
windowsModify the FreeLAN service to use quoted binary path in Windows registry
sc config "FreeLAN" binPath= "\"C:\Program Files\FreeLAN\freelan.exe\""
sc stop "FreeLAN"
sc start "FreeLAN"
Restrict Directory Permissions
windowsSet strict permissions on directories in the service path to prevent unauthorized writes
icacls "C:\Program Files\FreeLAN" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(W)"
🧯 If You Can't Patch
- Remove write permissions for non-admin users on all directories in the FreeLAN service path
- Monitor for unauthorized executable creation in FreeLAN installation directories
🔍 How to Verify
Check if Vulnerable:
Run: sc qc "FreeLAN" and check if binPath value contains spaces but is not enclosed in quotesCheck Version:
Check FreeLAN version in installed programs or run: "C:\Program Files\FreeLAN\freelan.exe" --versionVerify Fix Applied:
Run: sc qc "FreeLAN" and verify binPath is properly quoted and no unauthorized executables exist in path directories📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 showing unexpected process execution from FreeLAN directories
- Service Control Manager logs showing FreeLAN service failures
Network Indicators:
- Unusual outbound connections from FreeLAN service account
SIEM Query:
source="WinEventLog:Security" EventID=4688 AND (NewProcessName="*FreeLAN*" OR NewProcessName="*freelan*") AND SubjectUserName!="SYSTEM"