CVE
-pending-
Vulnerable Software
Remote Desktop Commander Suite Agent <= Version 4.8
Vulnerability
Unquoted Service Path Vulnerability
Time Line
- 12.11.2021 Vendor informed
- 10.12.2021 Vendor confirmed the issue and kindly ask for a release on 9th of February 2022
- 09.02.2022 Disclosure
Description
IF a customer a.) installed our agent service in the default path of C:\Program Files\RDPSoft\Remote Desktop Reporter Agent and b.) has not weakened the default Windows NTFS permissions in the root of C:\ or under the C:\Program Files folder. By default, standard users do not have permissions to create new files in the root of C: or in the Program Files folder and subfolders. If our agent service was installed to a different folder and/or the default NTFS permissions were weakened, this may make the unquoted service path exploitable.