CVE-2020-36985 Overview
IP Watcher 3.0.0.30 contains an unquoted service path vulnerability (CWE-428) in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup.
Critical Impact
Local attackers with write access to specific file system locations can achieve privilege escalation to SYSTEM-level access by exploiting the unquoted service path during Windows service startup.
Affected Products
- IP Watcher 3.0.0.30
Discovery Timeline
- 2026-01-28 - CVE CVE-2020-36985 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36985
Vulnerability Analysis
This vulnerability arises from improper handling of the Windows service executable path configuration in IP Watcher 3.0.0.30. When a Windows service path contains spaces and is not enclosed in quotation marks, the Windows Service Control Manager (SCM) attempts to locate the executable by parsing the path at each space character. This behavior can be exploited by placing a malicious executable at one of the intermediary path locations that Windows checks before reaching the intended service binary.
The vulnerability specifically affects the PacServiceExe service component. Because the service runs under the LocalSystem account, successful exploitation grants the attacker the highest level of privilege on the local Windows system, enabling complete system compromise.
Root Cause
The root cause is the failure to properly quote the service binary path in the Windows Registry service configuration. When the ImagePath registry value for a service contains spaces without being enclosed in double quotes, Windows interprets the path ambiguously. For example, a path like C:\Program Files\IP Watcher\PacServiceExe.exe would cause Windows to first check for C:\Program.exe, then C:\Program Files\IP.exe, and so on before reaching the intended executable.
Attack Vector
This is a local attack vector requiring the attacker to have write access to one of the directories Windows checks during path resolution. The attacker must:
- Identify the unquoted service path in the Windows Registry
- Determine which intermediate path locations are writable
- Place a malicious executable (e.g., Program.exe in C:\) at a writable location
- Wait for or trigger a service restart
When the service restarts, the malicious executable runs with LocalSystem privileges instead of, or before, the legitimate service binary. This attack requires local access but no special privileges beyond write access to target directories.
The unquoted service path vulnerability is well-documented, with technical details available in the VulnCheck Advisory on Unquoted Service Path and Exploit-DB #48968.
Detection Methods for CVE-2020-36985
Indicators of Compromise
- Unexpected executables named Program.exe, IP.exe, or similar in root directories or along the service path
- Modifications to directories in the IP Watcher installation path
- Unusual process execution originating from the PacServiceExe service parent process
- Service startup failures or anomalies in the Windows Event Log for IP Watcher services
Detection Strategies
- Monitor for file creation events in C:\, C:\Program Files\, and other directories along the unquoted path
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject Win32_Service | Where-Object { $_.PathName -notlike '"*"' -and $_.PathName -like '* *' }
- Implement SentinelOne endpoint detection rules to identify suspicious executable placement in common unquoted path exploitation locations
- Audit registry changes to service ImagePath values under HKLM\SYSTEM\CurrentControlSet\Services\
Monitoring Recommendations
- Enable Windows Security Event logging for file system changes in critical directories
- Configure SentinelOne behavioral AI to detect anomalous process spawning from service contexts
- Monitor for processes running as SYSTEM from unexpected file paths
- Implement file integrity monitoring on directories commonly targeted by unquoted service path attacks
How to Mitigate CVE-2020-36985
Immediate Actions Required
- Audit the IP Watcher service configuration to identify the unquoted path in the Windows Registry
- Manually add quotation marks around the service binary path in the registry
- Restrict write permissions on directories that could be exploited (e.g., C:\, intermediate path directories)
- Consider disabling the IP Watcher service if not critical until a vendor patch is available
Patch Information
No official patch information is currently available from the vendor. Organizations should contact Gearbox Computers directly for remediation guidance. As a manual fix, administrators can correct the service path by modifying the ImagePath registry value to include proper quotation marks.
Workarounds
- Manually quote the service path by modifying the registry value at HKLM\SYSTEM\CurrentControlSet\Services\[ServiceName]\ImagePath to enclose the executable path in double quotes
- Remove write permissions from C:\ and other directories in the unquoted path for non-administrative users
- Implement application whitelisting to prevent unauthorized executables from running
- Use SentinelOne's endpoint protection to block unauthorized binary execution in sensitive directories
# Configuration example - Fixing unquoted service path via Registry
reg query "HKLM\SYSTEM\CurrentControlSet\Services\PacServiceExe" /v ImagePath
reg add "HKLM\SYSTEM\CurrentControlSet\Services\PacServiceExe" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\IP Watcher\PacServiceExe.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
