CVE-2020-36952 Overview
CVE-2020-36952 is an unquoted service path vulnerability in IObit Uninstaller 10 Pro that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path in the IObit Uninstaller Service to insert malicious code that would execute with SYSTEM-level permissions during service startup. This vulnerability is classified under CWE-428 (Unquoted Search Path or Element).
Critical Impact
Local attackers with limited privileges can achieve SYSTEM-level code execution by placing malicious executables in strategic locations along the unquoted service path.
Affected Products
- IObit Uninstaller 10 Pro
Discovery Timeline
- 2026-01-26 - CVE CVE-2020-36952 published to NVD
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2020-36952
Vulnerability Analysis
This vulnerability exists due to an unquoted service path in the IObit Uninstaller Service. When Windows services are configured with executable paths containing spaces but lacking proper quotation marks, the operating system's path resolution mechanism can be exploited. Windows attempts to locate the executable by parsing the path at each space character, creating opportunities for attackers to place malicious binaries in locations that will be executed before the legitimate service executable.
The vulnerability requires local access to the system and the ability to write files to specific directories along the service path. Once an attacker places a malicious executable in a location that Windows will resolve before reaching the intended service binary, the malicious code will execute with the same privileges as the service—typically SYSTEM-level permissions.
Root Cause
The root cause of this vulnerability is improper configuration of the Windows service executable path. When the service path contains spaces and is not enclosed in quotation marks, Windows uses a predictable algorithm to resolve the path. This algorithm splits the path at each space and attempts to find a valid executable at each intermediate location. The IObit Uninstaller Service was configured without proper quotation marks around its path, enabling this exploitation vector.
Attack Vector
This is a local attack vector requiring the attacker to have existing access to the target system. The attacker must have write permissions to at least one directory in the unquoted path hierarchy. The typical exploitation process involves:
- Identifying the unquoted service path configuration
- Determining which directories in the path are writable by the current user
- Creating a malicious executable with a name that matches the path resolution pattern
- Waiting for the service to restart (or forcing a restart if privileges allow)
- The malicious code executes with SYSTEM privileges when the service starts
Detailed technical information about this vulnerability, including proof-of-concept details, can be found in the Exploit-DB #49371 advisory. Additional vendor information is available at the IObit Official Website.
Detection Methods for CVE-2020-36952
Indicators of Compromise
- Unexpected executable files appearing in C:\Program Files\ or C:\Program Files (x86)\ with names like IObit.exe or similar partial path matches
- Anomalous process execution chains where IObit-related service names spawn unexpected child processes
- Modifications to service configurations or service binary paths in the Windows registry
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -notmatch '^"' -and $_.PathName -match ' ' }
- Monitor for creation of executable files in common exploitation directories such as C:\Program.exe or partial path locations
- Implement file integrity monitoring on directories commonly targeted by unquoted service path attacks
Monitoring Recommendations
- Enable Windows Security Event logging for service installation and modification (Event IDs 7045, 7040)
- Configure endpoint detection rules to alert on executable creation in root-level Program Files directories
- Monitor for privilege escalation patterns where low-privilege users suddenly spawn SYSTEM-level processes
How to Mitigate CVE-2020-36952
Immediate Actions Required
- Audit all installed services for unquoted paths and remediate by adding quotation marks to service configurations
- Restrict write permissions on directories that could be exploited (e.g., C:\Program Files\, C:\Program Files (x86)\)
- Update IObit Uninstaller to the latest available version that addresses this vulnerability
- Consider removing or replacing affected software if no patch is available
Patch Information
Refer to the VulnCheck Advisory on IObit for the latest information on available patches and remediation guidance. Users should check the IObit Official Website for updated software releases that address this vulnerability.
Workarounds
- Manually fix the unquoted service path by modifying the registry key at HKLM\SYSTEM\CurrentControlSet\Services\[ServiceName] and adding quotation marks around the ImagePath value
- Implement application control policies to prevent unauthorized executable creation in sensitive directories
- Use endpoint protection solutions like SentinelOne to detect and block privilege escalation attempts
# Configuration example - Manually fix unquoted service path
# Run in elevated PowerShell
# Query for vulnerable services
Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -notmatch '^"' -and $_.PathName -match ' ' } | Select-Object Name, PathName
# Fix by adding quotes to registry (replace SERVICE_NAME and PATH)
# reg add "HKLM\SYSTEM\CurrentControlSet\Services\SERVICE_NAME" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\IObit\IObit Uninstaller\service.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
