CVE-2022-50933

#!/usr/bin/env python3 """ CVE-2022-50933 PoC - Cain & Abel Unquoted Service Path This script demonstrates the unquoted service path vulnerability in Cain & Abel 4.9.56 Note: For educational and authorized testing purposes only """ import os import sys import subprocess def check_vulnerable_service(): """Check if Cain & Abel service has unquoted path vulnerability""" try: # Query Windows service information using sc command result = subprocess.check_output( ['sc', 'qc', 'Cain'], stderr=subprocess.STDOUT, text=True ) print("[+] Cain service configuration:") print(result) # Check if BINARY_PATH_NAME contains spaces and is not quoted if 'BINARY_PATH_NAME' in result: lines = result.split('\n') for line in lines: if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f"[+] Binary Path: {path}") # Check if path is unquoted and contains spaces if not path.startswith('"') and ' ' in path: print("[!] VULNERABLE: Path contains spaces and is not quoted!") return True else: print("[-] NOT vulnerable or service not found") return False except subprocess.CalledProcessError as e: print(f"[-] Service query failed: {e}") return False except Exception as e: print(f"[-] Error: {e}") return False def create_payload_exploit(): """Generate malicious executable for privilege escalation""" # This is a simplified demonstration # In real attack, attacker would create a malicious executable # that executes with LocalSystem privileges # Example: Check if we can write to intermediate path directories vulnerable_paths = [ r'C:\Program.exe', r'C:\Program Files\cain.exe' ] print("\n[*] Checking write permissions to potential exploit locations...") for path in vulnerable_paths: directory = os.path.dirname(path) if os.path.exists(directory): if os.access(directory, os.W_OK): print(f"[!] VULNERABLE: Can write to {directory}") print(f" Attacker could place malicious '{os.path.basename(path)}' here") else: print(f"[-] Protected: Cannot write to {directory}") else: print(f"[-] Directory does not exist: {directory}") def main(): print("=" * 60) print("CVE-2022-50933 Cain & Abel Unquoted Service Path PoC") print("=" * 60) print("\n[*] Target: Cain & Abel <= 4.9.56") print("[*] Vulnerability: Unquoted Service Path leads to EoP\n") if sys.platform != 'win32': print("[-] This script must be run on Windows") sys.exit(1) check_vulnerable_service() create_payload_exploit() print("\n[*] PoC completed") print("[*] Note: Actual exploitation requires creating malicious executable") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2022-50933", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:58.163", "lastModified": "2026-02-02T16:16:17.137", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cain & Abel 4.9.56 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions."}, {"lang": "es", "value": "Cain &amp; Abel 4.9.56 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a atacantes locales ejecutar potencialmente código arbitrario con privilegios elevados. Los atacantes pueden explotar la ruta binaria sin comillas para inyectar ejecutables maliciosos que se iniciarán con permisos de LocalSystem."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:malavida:cain_\\&_abel:4.9.56:*:*:*:*:*:*:*", "matchCriteriaId": "102AB620-8145-41C1-A9A4-2FD6FA1A88B3"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50728", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.malavida.com/en/soft/cain-and-abel", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://www.vulncheck.com/advisories/cain-abel-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/50728", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}