CVE-2020-36980

#!/usr/bin/env python3 """ CVE-2020-36980 PoC - SAntivirus IC Unquoted Service Path Checks if the SAntivirus IC service has an unquoted path vulnerability. Note: This is for educational and authorized testing purposes only. """ import subprocess import sys import os def check_unquoted_service_path(service_name): """ Check if a Windows service has an unquoted executable path. Returns True if vulnerable (unquoted path with spaces), False otherwise. """ try: result = subprocess.run( ['sc', 'qc', service_name], capture_output=True, text=True ) output = result.stdout # Look for BINARY_PATH_NAME in the output for line in output.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f"Service path: {path}") # Check if path contains spaces and is not quoted has_spaces = any(space in path for space in ['Program Files', 'Program Files (x86)', 'Documents and Settings']) is_quoted = path.startswith('"') or path.startswith("'") if has_spaces and not is_quoted: print(f"[!] VULNERABLE: Path contains spaces but is not quoted!") print(f"[*] An attacker could place a malicious executable in an intermediate directory") return True else: print(f"[+] NOT VULNERABLE: Path is properly quoted or has no spaces") return False print(f"[-] Service '{service_name}' not found or no path information available") return False except Exception as e: print(f"[-] Error checking service: {e}") return False def main(): # Target service name for SAntivirus IC service_name = "SantivirusIC" # Common service name, may vary print("=" * 60) print("CVE-2020-36980 - SAntivirus IC Unquoted Service Path Check") print("=" * 60) # Check the service is_vulnerable = check_unquoted_service_path(service_name) print("\n" + "=" * 60) if is_vulnerable: print("RESULT: Target is VULNERABLE to CVE-2020-36980") print("An attacker with local access can escalate privileges to SYSTEM") else: print("RESULT: Target appears NOT vulnerable") print("=" * 60) return 0 if not is_vulnerable else 1 if __name__ == "__main__": sys.exit(main())

{"cve": {"id": "CVE-2020-36980", "sourceIdentifier": "[email protected]", "published": "2026-01-27T19:16:10.947", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAntivirus IC 10.0.21.61 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted executable path to inject malicious files in the service binary path, enabling privilege escalation to system-level permissions."}, {"lang": "es", "value": "SAntivirus IC 10.0.21.61 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración de su servicio de Windows que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta ejecutable sin comillas para inyectar archivos maliciosos en la ruta binaria del servicio, lo que permite la escalada de privilegios a permisos de nivel de sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49042", "source": "[email protected]"}, {"url": "https://www.segurazo.com/download.html", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/santivirus-ic-santivirusic-unquoted-service-path", "source": "[email protected]"}]}}