Unquoted Search Path bug in Turbo Float Server (CWE-428)Answered

Hi,

We are using Turbo Float Server 4.3.3 on Windows. We have a customer who has reported to us that they have run a vulnerability scanner (Nessus) which has discovered that TurboFloatServer.exe when run as a service is using unquoted paths, which makes it susceptible to the following vulnerability:

https://cwe.mitre.org/data/definitions/428.html

Is it possible to make a change to rectify this please?

Thank you.

Firstly, use the latest version. https://wyday.com/limelm/api/tf-changes/

Next, after using the latest version, what exactly is the problem / bug being reported. Yes, we accept commandline arguments. But we do not execute any external programs. And we validate input before we use it.

Automated scanners are very rarely useful. Please provide useful information about an actual bug and we'll look into it.

I have updated to version 4.4.4 which has the same characteristics.

  • Create a directory which has spaces in the name - for example - C:\Program Files\Turbo Float Server
  • Copy TurboFloatServer.exe into this directory
  • Create or copy an executable into the top level C: directory and rename it program.exe
  • Attempt to install Turbo Float as a service using the TurboFloatServer.exe -i command
  • This will fail with error 1053 - What has probably happened is that the CreateService() API call does not have quoted paths in the string, so it attempts to execute C:\program.exe instead of the full path to the Turbo Float Server
  • If you delete/rename C:\program.exe and retry installing the Turbo Float Server as a service with -i, it will now work
Answer

This isn't a vulnerability, but it is a bug. It will be fixed in the next version.

Why isn't it a vulnerability? Because a malicious actor has to have admin permissions to create the intermediate folders & files to take advantage of this bug. Meaning, they already have admin access and can do whatever they want.

, edited
Reply
Discard post