CVE-2020-36991 Overview
ShareMouse 5.0.43 contains an unquoted service path vulnerability (CWE-428) that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the insecure service path configuration by placing malicious executables in specific system directories to gain elevated access during service startup.
Critical Impact
Local privilege escalation vulnerability enabling attackers with local access to execute arbitrary code with SYSTEM-level privileges by exploiting the unquoted service path during service startup.
Affected Products
- ShareMouse 5.0.43
Discovery Timeline
- 2026-01-28 - CVE CVE-2020-36991 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36991
Vulnerability Analysis
This vulnerability is classified as an Unquoted Service Path (CWE-428) vulnerability in the ShareMouse application. When a Windows service is configured with an executable path that contains spaces and is not enclosed in quotation marks, the Windows Service Control Manager (SCM) interprets the path ambiguously. This allows an attacker with local access to place a specially crafted executable in a location that Windows will execute before reaching the intended service binary.
The vulnerability requires local access and low privileges to exploit, but successful exploitation grants the attacker the ability to execute code with the elevated permissions of the Windows service, typically SYSTEM-level privileges. This creates a significant privilege escalation vector on affected systems.
Root Cause
The root cause of this vulnerability is improper configuration of the Windows service path for ShareMouse. When the service executable path contains spaces (such as C:\Program Files\ShareMouse\ShareMouse.exe) and is not properly enclosed in quotation marks in the Windows registry, the SCM attempts to resolve the path by testing multiple interpretations sequentially.
For example, an unquoted path like C:\Program Files\ShareMouse\ShareMouse.exe would be parsed as:
- C:\Program.exe
- C:\Program Files\ShareMouse\ShareMouse.exe
If an attacker places a malicious Program.exe in the C:\ directory, it will be executed instead of the legitimate service binary.
Attack Vector
The attack requires local access to the target system. An attacker must have sufficient permissions to write to one of the directories that Windows will check before reaching the intended executable path. Common attack scenarios include:
- Placing a malicious executable named Program.exe in the C:\ root directory
- If the path includes other spaces, creating executables at intermediate path segments
When the service starts (either during system boot or when manually triggered), Windows executes the attacker's malicious binary with the privileges of the service account, typically SYSTEM. This enables full system compromise from a low-privileged local user account.
Technical details and proof-of-concept information can be found in the Exploit-DB #48794 advisory and the VulnCheck Advisory for ShareMouse.
Detection Methods for CVE-2020-36991
Indicators of Compromise
- Presence of unexpected executables in C:\ root directory, particularly Program.exe
- Unusual executable files in paths that could intercept unquoted service paths
- Service-related process execution from unexpected locations
- Suspicious child processes spawned from ShareMouse service context
Detection Strategies
- Monitor for file creation events in C:\ and other sensitive directories using endpoint detection tools
- Audit Windows service configurations for unquoted paths using tools like wmic service get name,pathname
- Implement file integrity monitoring on system directories commonly targeted by this attack class
- Review service startup logs for unexpected executable paths or failures
Monitoring Recommendations
- Enable Windows Event Log monitoring for service start/stop events (Event IDs 7035, 7036)
- Configure alerts for new executable files created in system root directories
- Monitor process creation events for processes running with SYSTEM privileges from unusual paths
- Implement behavioral detection for privilege escalation patterns
How to Mitigate CVE-2020-36991
Immediate Actions Required
- Audit the ShareMouse service path in the Windows registry and add quotation marks around the path if unquoted
- Verify ShareMouse installation and update to the latest available version from the ShareMouse Official Site
- Remove any suspicious executables from C:\ and other directories that could intercept the service path
- Consider temporarily disabling the ShareMouse service until remediation is complete
Patch Information
Organizations should check the ShareMouse Official Site for the latest version and any security updates that address this unquoted service path vulnerability. Review the VulnCheck Advisory for ShareMouse for additional guidance.
Workarounds
- Manually correct the service path in the Windows registry by enclosing it in quotation marks
- Restrict write permissions on directories that could be exploited (e.g., C:\)
- Implement application whitelisting to prevent execution of unauthorized binaries
- Use Group Policy to enforce proper service path configurations across the organization
# Registry fix to quote the service path
# Run as Administrator in PowerShell
$servicePath = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\ShareMouse*" -Name ImagePath -ErrorAction SilentlyContinue).ImagePath
if ($servicePath -and $servicePath -notmatch '^".*"$') {
Write-Host "Unquoted path detected - manual remediation required"
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
