CVE-2020-26131

Vulnerability

The vulnerability resides in the default installation directories of Open DHCP Server (Regular) version 1.75 and Open DHCP Server (LDAP Based) version 0.1Beta. The directories %SYSTEMDRIVE%\OpenDHCPServer\ and %SYSTEMDRIVE%\OpenDHCPLdap\ are created with weak permissions that allow any member of the 'Authenticated Users' group to modify files within them [3]. This affects the core executables OpenDHCPServer.exe and OpenDHCPLdap.exe, which run as a Windows service.

Exploitation

An attacker who already has local access to the system as an authenticated user can replace the legitimate OpenDHCPServer.exe or OpenDHCPLdap.exe binary with a malicious executable of the same name. No additional authentication is required beyond being a member of the 'Authenticated Users' group. The attacker then waits for the system to reboot (or triggers a restart of the service), at which point the Windows service control manager executes the replaced binary automatically [3].

Impact

Successful exploitation allows the attacker to execute arbitrary code with SYSTEM privileges, the highest level of access on the Windows operating system. This results in a complete compromise of confidentiality, integrity, and availability, as the attacker can install programs, create or modify any data, and create new accounts with full user rights.

Mitigation

The vendor (Achal Dhir) did not respond to the vulnerability disclosure, and no official fix or patched version has been released [3]. A workaround is to change the installation directory to %SYSTEMDRIVE%\Program Files\ or %SYSTEMDRIVE%\Program Files(x86)\, as these directories, by default, grant 'Authenticated Users' only read and execute permissions, preventing the replacement of binaries [3]. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.