CVE-2021-43454

Vulnerability

An unquoted service path vulnerability exists in AnyTXT Searcher version 1.2.394 in the ATService executable path C:\Program Files (x86)\AnyTXT Searcher\atservice.exe. The service binary path is not enclosed in quotes, which allows a local attacker to insert a malicious executable earlier in the path hierarchy if they have write access to a folder within the unquoted path [1], [2].

Exploitation

An attacker with local access and the ability to write to a directory that appears earlier in the unquoted path (e.g., C:\Program Files (x86)\AnyTXT Searcher\ or one of its parent directories, depending on permissions) can place a crafted executable named atservice.exe in that location. The service runs with SYSTEM privileges. When the service starts (it is configured as delayed auto-start), Windows will execute the malicious binary instead of the legitimate one [2].

Impact

Successful exploitation results in local privilege escalation to SYSTEM, enabling the attacker to execute arbitrary code with the highest level of system access, potentially leading to complete compromise of the affected Windows host [1], [2].

Mitigation

As of the publication date (April 2022), AnyTXT Searcher 1.2.394 is the affected version. No vendor advisory or patch has been found in the available references [1], [2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. A workaround is to manually enclose the service binary path in quotes via sc config ATService binPath= "C:\Program Files (x86)\AnyTXT Searcher\atservice.exe" or restrict write permissions to the installation directory.