CVE-2021-47884 Overview
OKI Configuration Tool version 1.6.53 contains an unquoted service path vulnerability in the OKI Local Port Manager service. This flaw allows local attackers to potentially execute arbitrary code by exploiting the unquoted path in C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe. Attackers can inject malicious executables into directories within the unquoted path and escalate privileges when the service restarts or the system reboots.
Critical Impact
Local attackers with write access to directories in the service path can achieve privilege escalation by placing malicious executables that will be executed with SYSTEM privileges when the vulnerable service starts.
Affected Products
- OKI Configuration Tool version 1.6.53
- OKI Local Port Manager Service (portmgrsrv.exe)
- Systems with OKI printing software installed in default locations
Discovery Timeline
- 2026-01-21 - CVE-2021-47884 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47884
Vulnerability Analysis
This vulnerability is classified as CWE-428 (Unquoted Search Path or Element). When Windows services are configured with executable paths containing spaces that are not enclosed in quotation marks, the operating system's service control manager (SCM) interprets the path in an ambiguous manner. For the path C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe, Windows will attempt to execute files in the following order:
- C:\Program.exe
- C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe
If an attacker has write permissions to the C:\ directory, they can place a malicious Program.exe file that will be executed with the privileges of the service—typically SYSTEM-level privileges—before the legitimate service binary is found.
Root Cause
The root cause of this vulnerability is improper service registration during the OKI Configuration Tool installation process. The installer failed to properly quote the service executable path when registering the OKI Local Port Manager service in the Windows Service Control Manager. This oversight creates an exploitable condition on systems where attackers have local access and write permissions to parent directories in the unquoted path.
Attack Vector
This is a local attack vector requiring the attacker to already have some level of access to the target system. The attack proceeds as follows:
- The attacker identifies the unquoted service path for the OKI Local Port Manager service
- The attacker places a malicious executable named Program.exe in the C:\ root directory (if write permissions exist)
- When the service restarts (either manually, via system reboot, or through service failure recovery), Windows attempts to resolve the unquoted path
- The malicious Program.exe is executed with SYSTEM privileges before Windows can properly parse the intended path
The vulnerability mechanism exploits Windows path resolution behavior. When a service path contains spaces and is not quoted, the Service Control Manager parses the path by testing each space as a potential delimiter. For the path C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe, Windows first checks if C:\Program exists with a .exe extension. An attacker can abuse this by placing a malicious Program.exe in the root directory. For detailed technical analysis, see the VulnCheck Advisory on Configuration Tool and Exploit-DB #49624.
Detection Methods for CVE-2021-47884
Indicators of Compromise
- Presence of unexpected Program.exe file in the C:\ root directory
- Unusual executable files in directories along the service path such as C:\Program Files\Okidata\
- Windows Event Log entries showing service failures or unexpected service restarts for OKI Local Port Manager
- Process execution events showing Program.exe launching with SYSTEM privileges
Detection Strategies
- Query Windows services for unquoted paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notmatch '^"' -and $_.PathName -match ' '}
- Monitor file creation events in the C:\ root directory and directories within the OKI installation path
- Implement SentinelOne endpoint detection to identify suspicious process spawning from service contexts
- Use Windows Security Event ID 4688 to track process creation with elevated privileges
Monitoring Recommendations
- Configure file integrity monitoring on the C:\ root directory and C:\Program Files\Okidata\ paths
- Enable detailed service control manager logging to detect service path manipulation
- Deploy behavioral detection for processes executing from unexpected locations with SYSTEM privileges
- Monitor for registry modifications to the HKLM\SYSTEM\CurrentControlSet\Services\OKI Local Port Manager key
How to Mitigate CVE-2021-47884
Immediate Actions Required
- Audit all Windows services for unquoted paths and remediate immediately
- Restrict write permissions on the C:\ root directory and C:\Program Files\ to administrators only
- Consider disabling or removing the OKI Local Port Manager service if not essential to operations
- Implement application whitelisting to prevent unauthorized executables from running with elevated privileges
Patch Information
No official vendor patch information is available in the CVE data. Organizations should contact OKI directly for updated software versions that address this vulnerability. For historical reference, archived information about OKI solutions can be found at the Archived OKI Smart Solutions page.
Workarounds
- Manually fix the unquoted service path by modifying the registry to add quotation marks around the executable path
- Remove write permissions from non-administrative users on all directories in the service path hierarchy
- Use Windows AppLocker or Software Restriction Policies to block execution of unsigned executables from root directories
- Consider uninstalling the vulnerable OKI Configuration Tool if printing functionality can be achieved through alternative means
# PowerShell command to fix unquoted service path (run as Administrator)
# First, verify the current unquoted path:
# Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OKI Local Port Manager" -Name ImagePath
# Fix by adding quotes around the path:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OKI Local Port Manager" -Name ImagePath -Value '"C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
