CVE-2016-20061

Vulnerability

Overview

The sheed AntiVirus 2.3 installation configures the ShavProt service with an unquoted binary path: C:\Program Files\Sheed AntiVirus\shgrprot.exe. This constitutes a CWE-428 unquoted search path or element vulnerability [1][2]. When Windows attempts to start the service, it will search each space-separated component of the path for an executable, allowing an attacker to place a malicious binary at a location earlier in the path hierarchy.

Exploitation

Prerequisites

Exploitation requires local access to the system with privileges sufficient to write to a directory in the unquoted path, such as C:\Program.exe or C:\Program Files\Sheed.exe. The attacker must then trigger a service restart or system reboot. The service runs with LocalSystem privileges, as shown by the SERVICE_START_NAME field [1].

Impact

Upon service start, Windows will execute the attacker's planted executable instead of the legitimate shgrprot.exe. This grants the attacker code execution with full LocalSystem account rights, the highest level of privilege on a Windows system, enabling full control over the affected host [1][2].

Mitigation

The vendor has not released a patched version; the latest version 2.3 remains vulnerable. Administrators should manually quote the service binary path using sc config ShavProt binPath="C:\Program Files\Sheed AntiVirus\shgrprot.exe" or remove the software if no update is available [1][2].