CVE-2020-36990 Overview
Input Director 1.4.3 contains an unquoted service path vulnerability (CWE-428) in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. This vulnerability represents a classic Windows service misconfiguration that can lead to local privilege escalation.
Critical Impact
Local attackers with limited privileges can achieve LocalSystem-level code execution by exploiting the unquoted service path during system startup or service restart operations.
Affected Products
- Input Director 1.4.3
- Earlier versions of Input Director may also be affected
Discovery Timeline
- 2026-01-28 - CVE CVE-2020-36990 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36990
Vulnerability Analysis
This vulnerability exists due to an improperly quoted service path in Input Director's Windows service configuration. When a Windows service executable path contains spaces and is not enclosed in quotation marks, Windows attempts to locate the executable by parsing the path at each space character. This behavior can be abused by an attacker who places a malicious executable in a location that Windows will check before reaching the legitimate service binary.
The vulnerability allows local attackers who already have some level of system access to escalate their privileges to LocalSystem, which is the highest privilege level on a Windows system. The attack requires local access and the ability to write files to specific directories in the path hierarchy. While the attack complexity is low, it does require user interaction in the form of a system restart or service restart to trigger execution of the malicious payload.
Root Cause
The root cause is an unquoted service path vulnerability (CWE-428) in the Input Director Windows service registration. When the service was installed, the path to the executable was not properly enclosed in quotation marks. For example, if the service is installed at C:\Program Files\Input Director\InputDirector.exe, Windows will attempt to execute:
- C:\Program.exe
- C:\Program Files\Input.exe
- C:\Program Files\Input Director\InputDirector.exe
An attacker can place a malicious executable at any of these intermediate locations to have it executed with LocalSystem privileges when the service starts.
Attack Vector
The attack vector is local, requiring the attacker to have existing access to the target system with write permissions to directories in the service path. The exploitation flow typically involves:
- The attacker identifies the unquoted service path in the Input Director service configuration
- The attacker creates a malicious executable (e.g., Program.exe or Input.exe)
- The attacker places the executable in an appropriate directory (e.g., C:\ or C:\Program Files\)
- When the system reboots or the service is restarted, Windows executes the malicious binary with LocalSystem privileges
For detailed technical information about this vulnerability, refer to the Exploit-DB entry #48795 and the VulnCheck Advisory.
Detection Methods for CVE-2020-36990
Indicators of Compromise
- Unexpected executable files in C:\ root directory with names like Program.exe
- Suspicious executables in C:\Program Files\ named Input.exe
- Unauthorized modifications to the Input Director installation directory
- Unusual process execution with LocalSystem privileges originating from non-standard paths
Detection Strategies
- Query Windows services for unquoted paths using wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """
- Monitor for file creation events in C:\ and C:\Program Files\ directories for executables that don't match known software installations
- Use endpoint detection and response (EDR) solutions to detect privilege escalation attempts
- Implement application whitelisting to prevent unauthorized executable execution
Monitoring Recommendations
- Enable Windows Security Event logging for service creation and modification events (Event ID 4697)
- Monitor for process creation events where parent process is services.exe but child process path is unexpected
- Configure alerts for file write operations to sensitive directories by non-administrative users
- Regularly audit service configurations for unquoted paths as part of security hygiene
How to Mitigate CVE-2020-36990
Immediate Actions Required
- Audit the Input Director service path configuration and add quotation marks around the path if unquoted
- Check for and remove any suspicious executables in C:\, C:\Program Files\, or other directories in the service path
- Update to the latest version of Input Director from the official website if a patched version is available
- Restrict write permissions on directories that appear in service executable paths
Patch Information
Users should check the Input Director Official Site for updated versions that address this vulnerability. If no patched version is available, manual remediation of the service path is required by modifying the Windows registry to add quotation marks around the service executable path.
Workarounds
- Manually fix the unquoted service path by modifying the registry key at HKLM\SYSTEM\CurrentControlSet\Services\InputDirector\ImagePath
- Restrict write access to the C:\ root directory and C:\Program Files\ folder to administrators only
- Use application control policies to prevent unauthorized executable execution
- Consider uninstalling Input Director if it is not business-critical until a vendor patch is available
# PowerShell command to identify and fix unquoted service paths
# Query for unquoted paths
Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'} | Select-Object Name, PathName
# Manual registry fix (run as Administrator - modify path as needed)
# reg add "HKLM\SYSTEM\CurrentControlSet\Services\InputDirector" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Input Director\InputDirector.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
