CVE-2020-37061 Overview
CVE-2020-37061 is an unquoted service path vulnerability affecting BOOTP Turbo 2.0.1214. This flaw allows local attackers to potentially execute arbitrary code with elevated system privileges by exploiting the unquoted executable path configuration. When the Windows service starts with LocalSystem permissions, attackers can inject malicious code into specific filesystem locations that will be executed instead of the intended service binary.
Critical Impact
Local privilege escalation to SYSTEM-level access through malicious binary injection in unquoted service paths.
Affected Products
- BOOTP Turbo 2.0.1214
- Weird Solutions BOOTP Turbo
Discovery Timeline
- 2026-02-01 - CVE CVE-2020-37061 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2020-37061
Vulnerability Analysis
This vulnerability stems from CWE-428 (Unquoted Search Path or Element), a common Windows service misconfiguration. When a Windows service is configured with an executable path containing spaces that is not enclosed in quotation marks, Windows attempts to resolve the path by searching for executables at each space-delimited segment. For example, if a service path is C:\Program Files\BOOTP Turbo\bootp.exe, Windows will attempt to execute C:\Program.exe, then C:\Program Files\BOOTP.exe, before finally trying the intended path.
Attackers with local access and write permissions to directories along the search path can place a malicious executable at one of these intermediate locations. When the vulnerable service starts or restarts, the attacker's code executes with the service's privilege level—in this case, LocalSystem, the highest privilege level on Windows systems.
Root Cause
The root cause is improper service registration in Windows where the ImagePath registry value for the BOOTP Turbo service contains spaces but lacks proper quotation marks around the full path. This allows Windows' path resolution algorithm to be exploited through binary planting attacks.
Attack Vector
The attack requires local access to the system and write permissions to a directory in the unquoted path hierarchy. An attacker must:
- Identify the unquoted service path in the Windows registry
- Determine which directories in the path hierarchy allow write access
- Place a malicious executable (e.g., Program.exe or similar) at the exploitable location
- Trigger a service restart through system reboot, manual intervention, or service crash
- The malicious payload executes with LocalSystem privileges
The vulnerability can be identified by querying Windows services for unquoted paths that contain spaces:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
This command identifies services with unquoted paths that start automatically and are not in the protected Windows directory.
Detection Methods for CVE-2020-37061
Indicators of Compromise
- Presence of unexpected executables named Program.exe, BOOTP.exe, or similar in root directories or C:\Program Files\
- Windows Event Log entries showing unusual service startup failures followed by successful starts
- File creation events in directories along the BOOTP Turbo installation path
- Process execution events showing SYSTEM-level processes spawned from unexpected locations
Detection Strategies
- Audit Windows service configurations for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notmatch '^"' -and $_.PathName -match ' '}
- Monitor filesystem changes in C:\ and C:\Program Files\ for new executable files
- Deploy endpoint detection rules that alert on binary execution from non-standard paths with SYSTEM privileges
- Implement application whitelisting to prevent unauthorized executables from running
Monitoring Recommendations
- Enable Windows Security Event logging for process creation (Event ID 4688) with command line auditing
- Configure file integrity monitoring on directories in the BOOTP Turbo service path
- Set up alerts for service configuration changes (Event ID 7040) affecting BOOTP Turbo
- Monitor for lateral movement indicators following successful privilege escalation
How to Mitigate CVE-2020-37061
Immediate Actions Required
- Audit all installed services for unquoted path vulnerabilities using the detection commands above
- Manually correct the registry entry by adding quotation marks around the service executable path
- Restrict write permissions on directories in the service path hierarchy using NTFS permissions
- Consider disabling the BOOTP Turbo service if not actively required in the environment
Patch Information
Contact Weird Solutions for an updated version of BOOTP Turbo that properly quotes the service executable path. Additional technical details are available through the VulnCheck Advisory and Exploit-DB #48078.
Workarounds
- Manually fix the registry path by enclosing the ImagePath value in quotation marks
- Implement strict directory permissions to prevent unauthorized file writes along the service path
- Use application control solutions to prevent execution of unsigned binaries
- Deploy endpoint protection with behavior-based detection for privilege escalation attempts
# Manual registry fix for unquoted service path
reg add "HKLM\SYSTEM\CurrentControlSet\Services\BOOTPTurbo" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\BOOTP Turbo\bootp.exe\"" /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
