Vembu StoreGrid 4.0 Unquoted Service Path Privilege Escalation

A local attacker with write access to a directory earlier in the unquoted path can place a malicious executable (e.g., `Program.exe` in `C:\` for the path `C:\Program Files\MSP...`). When the vulnerable service is restarted or the system is rebooted, Windows will first attempt to run the attacker's planted executable instead of the intended binary, and because the service runs as `LocalSystem`, the attacker code gains the highest Windows privilege level [ref_id=1]. This is a classic unquoted service path privilege escalation (CWE-428).

The two Windows services 'RemoteBackup' and 'RemoteBackup_webServer' installed by Vembu StoreGrid 4.0 have unquoted `BINARY_PATH_NAME` values (e.g., `C:\Program Files\MSP\RemoteBackup\bin\StoreGrid.exe` and `C:\Program Files\MSP\RemoteBackup\apache\Apache.exe`) [ref_id=1]. Because the paths contain spaces and are not enclosed in quotes, the Windows service control manager will interpret each space-delimited segment as a potential executable.

The advisory does not include a patch or vendor fix [ref_id=1]. To remediate the vulnerability, the service binary paths must be enclosed in double quotes (e.g., `"C:\Program Files\MSP\RemoteBackup\bin\StoreGrid.exe"`) so that the Windows service manager treats the entire path as a single executable location rather than splitting on spaces. Without such a fix, local attackers can escalate to SYSTEM by placing a planted executable anywhere along the unquoted path.

1. Run `sc qc RemoteBackup` or `sc qc RemoteBackup_webServer` on the target Windows machine to confirm the unquoted binary path (e.g., `C:\Program Files\MSP\RemoteBackup\bin\StoreGrid.exe`). 2. Place a malicious executable named `Program.exe` in `C:\` (or another directory earlier in the path, such as `C:\Program`). 3. Stop the service (e.g., `net stop RemoteBackup`) and restart it (`net start RemoteBackup`), or reboot the system. 4. The planted executable runs as `LocalSystem`, granting elevated privileges [ref_id=1].