CVE-2022-27050 – CVE-2022-27050 is an unquoted service path vuln... (How to Fix)

Q: What is the severity of CVE-2022-27050?

CVE-2022-27050 has a CVSS score of 7.8 (HIGH). CVE-2022-27050 is an unquoted service path vulnerability in BitComet for Windows that allows local attackers to escalate privileges to SYSTEM level by placing malicious executables in specific directories. This affects Windows systems running vulnerable versions of BitComet Service. Attackers need local access to exploit this vulnerability.

📋 TL;DR

CVE-2022-27050 is an unquoted service path vulnerability in BitComet for Windows that allows local attackers to escalate privileges to SYSTEM level by placing malicious executables in specific directories. This affects Windows systems running vulnerable versions of BitComet Service. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

BitComet Service

Versions: All versions before 1.8.6

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires BitComet Service to be installed and running. Vulnerability exists in the service path configuration.

📦 What is this software?

Bitcomet by Bitcomet

View all CVEs affecting Bitcomet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM privilege escalation leading to complete system compromise, persistence installation, credential theft, and lateral movement capabilities.

🟠

Likely Case

Local privilege escalation allowing attackers to gain SYSTEM privileges from a lower privileged account.

🟢

If Mitigated

No impact if proper access controls prevent local users from writing to vulnerable directories or if service runs with minimal privileges.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly exploitable over network.

🏢 Internal Only: HIGH - Significant risk in environments where local users have write access to vulnerable directories or where privilege separation is weak.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and ability to write to directories in the service path. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.6 and later

Vendor Advisory: Not officially published by vendor, but referenced in security research

Restart Required: Yes

Instructions:

1. Download BitComet version 1.8.6 or later from official source. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure service updates take effect.

🔧 Temporary Workarounds

Apply proper service path quoting

windows

Manually edit the service configuration to use quoted paths

sc config "BitComet Service" binPath="\"C:\Program Files\BitComet\BitComet.exe\""

Restrict directory permissions

windows

Remove write permissions for non-administrative users on vulnerable directories

icacls "C:\Program Files\BitComet" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

Uninstall BitComet Service if not required
Run BitComet Service with minimal privileges using service configuration tools

🔍 How to Verify

Check if Vulnerable:

Check service configuration: sc qc "BitComet Service" and look for unquoted paths containing spaces

Check Version:

Check BitComet about dialog or examine installed program version in Control Panel

Verify Fix Applied:

Verify service path is quoted: sc qc "BitComet Service" should show quoted path. Check BitComet version is 1.8.6+

📡 Detection & Monitoring

Log Indicators:

Service control manager events showing BitComet service path changes
Process creation events showing unexpected executables running from BitComet directories

Network Indicators:

Unusual outbound connections from SYSTEM-level processes

SIEM Query:

EventID=4688 AND NewProcessName CONTAINS 'BitComet' AND SubjectUserName!='SYSTEM'

📊 Metadata

CVE ID: CVE-2022-27050

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

Published: March 31, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/ycdxsb/Vuln/tree/main/BitComet-Unquoted-Service-Path Exploit,Third Party Advisory
https://github.com/ycdxsb/Vuln/tree/main/BitComet-Unquoted-Service-Path Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27050, you might also want to check these: