Security Vulnerability Report
中文
CVE-2017-20218 CVSS 7.8 HIGH

CVE-2017-20218

Published: 2026-03-16 14:17:51
Last Modified: 2026-04-15 14:56:46
Source: [email protected]

Description

Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Serviio PRO 1.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2017-20218 PoC - Serviio PRO Unquoted Service Path Privilege Escalation This PoC demonstrates the vulnerability by checking if Serviio service exists and if the service path is unquoted. """ import subprocess import os import sys def check_serviio_service(): """Check if Serviio service exists and its configuration""" try: # Query Serviio service information result = subprocess.run( ['sc', 'qc', 'Serviio'], capture_output=True, text=True ) if 'BINPATH' in result.stdout: print("[+] Serviio service found!") # Extract binary path for line in result.stdout.split('\n'): if 'BINPATH' in line: path = line.split(':', 1)[1].strip() print(f"[+] Binary path: {path}") # Check if path is quoted if not (path.startswith('"') and path.endswith('"')): print("[!] VULNERABLE: Path is not quoted!") print("[!] Attackers can place malicious executable in path segments") return True else: print("[-] Path is properly quoted") return False else: print("[-] Serviio service not found") return False except Exception as e: print(f"[-] Error checking service: {e}") return False def check_directory_permissions(path): """Check if Users group has excessive permissions""" try: result = subprocess.run( ['icacls', path], capture_output=True, text=True ) if 'Users' in result.stdout and 'Full' in result.stdout: print(f"[!] VULNERABLE: Users group has Full control on {path}") return True return False except Exception as e: print(f"[-] Error checking permissions: {e}") return False def main(): print("=" * 60) print("CVE-2017-20218 - Serviio PRO Unquoted Service Path PoC") print("=" * 60) # Check if running on Windows if sys.platform != 'win32': print("[-] This PoC only works on Windows systems") return print("\n[1] Checking Serviio service configuration...") service_vuln = check_serviio_service() print("\n[2] Checking Serviio directory permissions...") default_path = r'C:\Program Files\Serviio' if os.path.exists(default_path): check_directory_permissions(default_path) else: print(f"[-] Serviio directory not found at {default_path}") print("\n[3] Summary") print("-" * 40) if service_vuln: print("[!] System is VULNERABLE to CVE-2017-20218") print("[!] An attacker with low privileges can:") print(" 1. Place a malicious Program.exe in C:\\") print(" 2. Wait for service restart or system reboot") print(" 3. Gain SYSTEM level code execution") else: print("[-] System appears to be patched") if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2017-20218", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:51.317", "lastModified": "2026-04-15T14:56:45.970", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot."}, {"lang": "es", "value": "Serviio PRO 1.8 contiene una vulnerabilidad de ruta de búsqueda sin comillas en el servicio de Windows que permite a usuarios locales ejecutar código arbitrario con privilegios elevados al colocar ejecutables maliciosos en la ruta raíz del sistema. Además, permisos de directorio incorrectos con acceso total para el grupo Usuarios permiten a usuarios autenticados reemplazar el archivo ejecutable con binarios arbitrarios, lo que permite la escalada de privilegios durante el inicio del servicio o el reinicio del sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://blogs.securiteam.com/index.php/archives/3094", "source": "[email protected]"}, {"url": "https://cxsecurity.com/issue/WLB-2017050019", "source": "[email protected]"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125644", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/142384", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/41959/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/serviio-pro-local-privilege-escalation-via-unquoted-path", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5405.php", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.