CVE-2020-36986 Overview
Prey 1.9.6 contains an unquoted service path vulnerability (CWE-428) that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to insert malicious code that would execute during application startup or system reboot.
Critical Impact
Local privilege escalation through unquoted service path exploitation in Prey's CronService, enabling attackers to execute arbitrary code with SYSTEM-level privileges.
Affected Products
- Prey version 1.9.6
Discovery Timeline
- 2026-01-28 - CVE CVE-2020-36986 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36986
Vulnerability Analysis
This vulnerability stems from improper handling of service paths in the Windows service configuration for Prey's CronService. When a Windows service executable path contains spaces and is not enclosed in quotation marks, Windows attempts to locate the executable by progressively parsing the path at each space. This behavior can be exploited by an attacker to place a malicious executable in a location that gets executed before the intended legitimate service binary.
The unquoted service path vulnerability in Prey 1.9.6 allows a local attacker with write access to certain directories in the service path to plant a malicious executable. When the CronService starts (either during system boot or when manually triggered), Windows may execute the attacker's code instead of the legitimate Prey service binary, resulting in privilege escalation to SYSTEM-level permissions.
Root Cause
The root cause of this vulnerability is the improper quoting of the service binary path during installation or configuration of the Prey CronService. When the service path contains spaces (such as C:\Program Files\Prey\...), Windows requires the path to be enclosed in double quotes. Without proper quoting, Windows interprets the path ambiguously, attempting to execute binaries at intermediate path locations like C:\Program.exe or C:\Program Files\Prey.exe before reaching the intended executable.
Attack Vector
The attack requires local access to the target system and write permissions to one of the directories in the unquoted service path. An attacker would:
- Identify the unquoted service path for Prey's CronService
- Determine which directory in the path they have write access to
- Place a malicious executable (e.g., Program.exe in C:\ or Prey.exe in C:\Program Files\)
- Wait for or trigger a service restart or system reboot
- The malicious executable runs with the privileges of the service (typically SYSTEM)
The vulnerability is documented in Exploit-DB #48967 and detailed in the VulnCheck Advisory.
Detection Methods for CVE-2020-36986
Indicators of Compromise
- Unexpected executables appearing in directories such as C:\Program.exe, C:\Program Files\Prey.exe, or other paths along the service binary path
- Unusual process execution chains where suspicious binaries spawn from service startup
- Modification timestamps on files in system directories that don't align with expected software updates
- Service-related event logs showing execution of non-standard binaries during CronService startup
Detection Strategies
- Query Windows services for unquoted paths using tools like wmic service get name,pathname or PowerShell cmdlets to identify vulnerable service configurations
- Monitor file creation events in sensitive directories (C:\, C:\Program Files\) for unexpected executable files
- Use endpoint detection and response (EDR) solutions to detect anomalous process creation during service startup sequences
- Implement application whitelisting to prevent unauthorized executables from running in elevated contexts
Monitoring Recommendations
- Enable detailed Windows Security Event logging (Event ID 4688) to track process creation with command-line arguments
- Configure file integrity monitoring (FIM) on critical system directories to detect unauthorized file additions
- Monitor service configuration changes through Windows Event Log (Event ID 7045 for new service installations and modifications)
- Leverage SentinelOne's behavioral AI to detect privilege escalation attempts and anomalous service execution patterns
How to Mitigate CVE-2020-36986
Immediate Actions Required
- Audit all installed services for unquoted service paths using wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" or equivalent PowerShell commands
- Manually correct the service path by enclosing it in double quotes in the Windows Registry under HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\ImagePath
- Restrict write permissions on directories in the service path to administrators only
- Consider upgrading Prey to a newer version if one is available that addresses this vulnerability
Patch Information
Check the Prey Project website for updated versions that address this vulnerability. Review the VulnCheck Advisory for additional guidance on remediation steps.
Workarounds
- Manually quote the service path in the Windows Registry to prevent path ambiguity exploitation
- Remove write permissions from non-administrative users for all directories in the service path
- Implement application control policies to prevent execution of unauthorized binaries from writable directories
- Use endpoint protection solutions like SentinelOne to detect and block exploitation attempts in real-time
# Check for unquoted service paths (PowerShell)
Get-WmiObject win32_service | Select-Object Name, PathName | Where-Object { $_.PathName -notlike '"*' -and $_.PathName -like '* *' }
# Fix unquoted service path (requires Administrator privileges)
# Replace <ServiceName> with the actual service name
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\<ServiceName>" -Name ImagePath -Value '"C:\Program Files\Prey\path\to\service.exe"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
