CVE-2016-20061

Description

sheed AntiVirus 2.3 contains an unquoted service path vulnerability in the ShavProt service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can insert a malicious executable in the unquoted path and trigger service restart or system reboot to execute code with LocalSystem privileges.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

sheed AntiVirus 2.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Detection PoC for Unquoted Service Path
# This script checks if the ShavProt service path is unquoted.

import win32service
import win32con

def check_unquoted_service_path(service_name):
    try:
        # Open the Service Control Manager
        scm = win32service.OpenSCManager(None, None, win32con.SC_MANAGER_CONNECT)
        # Open the specific service
        service = win32service.OpenService(scm, service_name, win32con.SERVICE_QUERY_CONFIG)
        # Query the service config
        config = win32service.QueryServiceConfig(service)
        path = config[2] # BinaryPathName
        
        print(f"[*] Service Path: {path}")
        
        if path and ' ' in path:
            if not (path.startswith('"') and path.endswith('"')):
                print(f"[!] VULNERABLE: Service '{service_name}' has an unquoted path containing spaces.")
                return True
            else:
                print(f"[+] Safe: Path is quoted.")
        else:
            print(f"[+] Safe: No spaces or empty path.")
            
        win32service.CloseServiceHandle(service)
        win32service.CloseServiceHandle(scm)
    except Exception as e:
        print(f"Error checking service: {e}")
    return False

if __name__ == "__main__":
    # Target service mentioned in CVE
    check_unquoted_service_path("ShavProt")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2016-20061
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2016-20061
[3] CVE Details https://www.cvedetails.com/cve/CVE-2016-20061/
[4] VulDB https://vuldb.com/cve/CVE-2016-20061
[5] http://dl.sheedantivirus.ir/setup.exe
[6] http://sheedantivirus.ir/
[7] https://www.exploit-db.com/exploits/40497
[8] https://www.vulncheck.com/advisories/sheed-antivirus-unquoted-service-path-privilege-escalation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2016-20061", "sourceIdentifier": "[email protected]", "published": "2026-04-04T14:16:18.930", "lastModified": "2026-04-16T16:15:56.380", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "sheed AntiVirus 2.3 contains an unquoted service path vulnerability in the ShavProt service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can insert a malicious executable in the unquoted path and trigger service restart or system reboot to execute code with LocalSystem privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "http://dl.sheedantivirus.ir/setup.exe", "source": "[email protected]"}, {"url": "http://sheedantivirus.ir/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/40497", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/sheed-antivirus-unquoted-service-path-privilege-escalation", "source": "[email protected]"}]}}