CVE-2021-47882 Overview
FreeLAN 2.2 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup.
Critical Impact
Local attackers with write access to system directories can achieve privilege escalation to LocalSystem by exploiting the unquoted service path in FreeLAN's Windows service configuration.
Affected Products
- FreeLAN 2.2 for Windows
Discovery Timeline
- 2026-01-21 - CVE CVE-2021-47882 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47882
Vulnerability Analysis
This vulnerability (CWE-428: Unquoted Search Path or Element) occurs when the FreeLAN Windows service is configured with an executable path that contains spaces but is not enclosed in quotation marks. When Windows attempts to start a service with an unquoted path containing spaces, it parses the path sequentially, attempting to execute each space-delimited segment as a potential executable.
For instance, if the service binary is located at C:\Program Files\FreeLAN\freelan.exe, Windows will attempt to execute in order: C:\Program.exe, C:\Program Files\FreeLAN\freelan.exe. An attacker who can place a malicious executable named Program.exe in the C:\ directory can hijack the service startup process.
Root Cause
The root cause is improper configuration of the Windows service image path during FreeLAN installation. The service path is registered in the Windows registry without enclosing quotation marks, creating an exploitable condition when the path contains directory names with spaces (which is common on Windows systems, e.g., Program Files).
Attack Vector
The attack requires local access to the target system with sufficient privileges to write files to directories that appear earlier in the unquoted path resolution sequence. When the FreeLAN service starts (either manually, on system boot, or when restarted), Windows will execute the attacker's malicious binary with LocalSystem privileges instead of the legitimate FreeLAN executable.
The exploitation workflow involves identifying the unquoted service path, determining which intermediate path locations are writable, placing a malicious executable at that location, and then triggering a service restart to achieve code execution with elevated privileges.
Detection Methods for CVE-2021-47882
Indicators of Compromise
- Unexpected executables appearing in root directories such as C:\Program.exe or C:\Program Files.exe
- Service start failures or unusual service behavior for FreeLAN
- Processes running with LocalSystem privileges that originate from unexpected file paths
- Registry modifications to the FreeLAN service configuration
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*' -and $_.PathName -like '* *'}
- Monitor file creation events in directories that could be exploited through unquoted path resolution (e.g., C:\, C:\Program Files\)
- Implement application whitelisting to prevent execution of unauthorized binaries
- Use endpoint detection tools to alert on suspicious service configurations
Monitoring Recommendations
- Enable Windows Security Event logging for service creation and modification events (Event IDs 7045, 4697)
- Monitor for new executable files created in system root directories
- Implement file integrity monitoring on directories susceptible to unquoted path exploitation
- Review service configurations periodically for unquoted paths using automated compliance checks
How to Mitigate CVE-2021-47882
Immediate Actions Required
- Manually correct the service path by adding quotation marks around the executable path in the Windows registry
- Restrict write permissions on directories that appear in the unquoted path resolution sequence
- Audit all Windows services on affected systems for similar unquoted path vulnerabilities
- Consider temporarily disabling the FreeLAN service until the path is corrected
Patch Information
The vulnerability can be manually remediated by modifying the service configuration in the Windows registry. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\FreeLAN and ensure the ImagePath value is enclosed in quotation marks. Additional technical details and a proof-of-concept are available at Exploit-DB #49630. For vendor information, refer to the GitHub Freelan Project and the VulnCheck Freelan Advisory.
Workarounds
- Manually quote the service path in the registry: Change C:\Program Files\FreeLAN\freelan.exe to "C:\Program Files\FreeLAN\freelan.exe"
- Use the sc config command to update the service binary path with proper quotation
- Implement strict ACLs on directories that could be exploited via unquoted path resolution
- Deploy application control policies to prevent execution of unsigned binaries from common exploit locations
# Fix unquoted service path using sc command
sc config "FreeLAN" binPath= "\"C:\Program Files\FreeLAN\freelan.exe\""
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
