AVG Anti Spyware 7.5 - Unquoted Service Path "AVG Anti-Spyware Guard"

Exploit Author: Idan Malihi Analysis Author: www.bubbleslearn.ir Category: Local Language: Shell Published Date: 2023-07-11 
# Exploit Title: AVG Anti Spyware 7.5 - Unquoted Service Path
# Date: 06/07/2023
# Exploit Author: Idan Malihi
# Vendor Homepage: https://www.avg.com
# Software Link: https://www.avg.com/en-ww/homepage#pc
# Version: 7.5
# Tested on: Microsoft Windows 10 Pro
# CVE : CVE-2023-36167

#PoC

C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
AVG Anti-Spyware Guard                                                              AVG Anti-Spyware Guard                    C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe                            Auto

C:\Users>sc qc "AVG Anti-Spyware Guard"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: AVG Anti-Spyware Guard
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : AVG Anti-Spyware Guard
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users>systeminfo

Host Name:                 DESKTOP-LA7J17P
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19042 N/A Build 19042
OS Manufacturer:           Microsoft Corporation


AVG Anti-Spyware 7.5 – Unquoted Service Path Vulnerability (CVE-2023-36167)

Security researchers have identified a critical vulnerability in AVG Anti-Spyware 7.5, a widely used antivirus solution developed by Grisoft (now part of Avast). This flaw, designated as CVE-2023-36167, stems from an unquoted service path in the AVG Anti-Spyware Guard service, which can be exploited to achieve privilege escalation on Windows systems.

Understanding the Vulnerability: Unquoted Service Path

Service paths in Windows are defined during service installation and specify the executable file that runs when the service starts. When a path contains spaces but is not enclosed in quotation marks, Windows treats the first word as the executable and everything after as arguments. This creates a dangerous condition where an attacker can place a malicious executable in a directory with a space-separated path, effectively hijacking the service.

For example, if a service's binary path is set to:

C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Without quotes, Windows interprets this as:

  • C:\Program — the executable
  • Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe — treated as command-line arguments

Therefore, if an attacker creates a malicious file named Program.exe in the C:\Program directory, it will execute when the service starts — even though the intended executable is guard.exe.

Exploitation Demonstration

Researchers such as Idan Malihi demonstrated this vulnerability using standard Windows command-line tools. The following commands reveal the unquoted service path:

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

Explanation: This command queries all services set to auto-start, filters out those with paths under C:\Windows\, and excludes services with quoted paths. The result shows:

AVG Anti-Spyware Guard AVG Anti-Spyware Guard C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe Auto

Clearly, the path is unquoted and contains spaces. The sc qc command confirms the service configuration:

sc qc "AVG Anti-Spyware Guard"

Output confirms:

Property Value
BINARY_PATH_NAME C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
START_TYPE 2 AUTO_START
SERVICE_START_NAME LocalSystem

Since the service runs under LocalSystem, an attacker who gains control of the service execution can perform actions with elevated privileges.

Attack Scenario: Privilege Escalation

Here’s a realistic attack sequence:

  1. An attacker gains access to a low-privileged user account on a Windows 10 Pro system.
  2. They identify the AVG Anti-Spyware Guard service using the wmic command.
  3. They create a malicious executable named Program.exe in the C:\Program directory.
  4. They wait for the service to restart (e.g., after reboot or via sc start).
  5. When the service starts, Windows executes Program.exe instead of guard.exe.
  6. The malicious executable runs with LocalSystem privileges.

At this point, the attacker has full system control — including the ability to modify system files, install malware, or disable security software.

Impact and Risk Assessment

Although AVG Anti-Spyware 7.5 is an older version (released in 2015), it remains in use on legacy systems, particularly in enterprise environments with outdated software policies. This vulnerability poses a serious risk due to:

  • High privilege escalation potential — LocalSystem access.
  • Low barrier to exploit — requires only basic command-line knowledge.
  • Widespread exposure — many systems still running outdated AV software.
  • Long-term persistence — once executed, the payload can remain undetected.

Remediation and Best Practices

Microsoft and security vendors recommend the following mitigation strategies:

  • Update software immediately — upgrade to the latest version of AVG or replace with a supported antivirus.
  • Use quoted paths in service configurations — always wrap paths with spaces in double quotes.
  • Regular service audits — use tools like wmic or PowerShell to check for unquoted paths.
  • Implement least privilege — avoid running services as LocalSystem unless absolutely necessary.
  • Monitor for suspicious file creation — watch for Program.exe or similar in C:\Program.

For administrators, a PowerShell script can automate detection:

Get-WmiObject -Class Win32_Service | Where-Object { $_.StartMode -eq 'Auto' -and $_.PathName -notmatch '^C:\\Windows' -and $_.PathName -notmatch '"[^"]*"' } | Select-Object Name, PathName, DisplayName

Explanation: This script finds all auto-start services not in C:\Windows and with unquoted paths, helping identify potential vulnerabilities.

Conclusion

The CVE-2023-36167 vulnerability in AVG Anti-Spyware 7.5 serves as a stark reminder of how outdated software can introduce critical security flaws. Even a simple unquoted path can enable full system compromise. Organizations must prioritize software updates, conduct regular security audits, and enforce secure service configurations to prevent exploitation.

Security is not just about firewalls and encryption — it’s about understanding the underlying system mechanics. The unquoted service path issue highlights the importance of defensive configuration and continuous monitoring in modern cybersecurity practices.