Active Webcam 115 Unquoted Service Path Patched Access
import winreg
def check_active_webcam_vuln():
"""
Checks for the 'Active Webcam 11.5' unquoted service path vulnerability.
Vulnerable services have a path containing spaces and are not enclosed in quotes.
"""
service_name = "Active WebCam"
# Standard registry path for services
reg_path = r"SYSTEM\CurrentControlSet\Services"
try:
# Open the registry key for the service
key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, f"reg_path\\service_name", 0, winreg.KEY_READ)
# Query the ImagePath value
path_val, _ = winreg.QueryValueEx(key, "ImagePath")
winreg.CloseKey(key)
# Logic to determine vulnerability
# 1. Path must contain spaces (e.g., C:\Program Files\...)
# 2. Path must NOT start with a quote mark
if " " in path_val and not path_val.startswith('"'):
print(f"[!] Vulnerability Detected: Service 'service_name' has an unquoted path.")
print(f" Path: path_val")
print(" Status: The service appears to be UNPATCHED.")
elif path_val.startswith('"'):
print(f"[*] Service 'service_name' is PATCHED (Path is quoted).")
else:
print(f"[*] Service 'service_name' path does not contain spaces (No vulnerability).")
except FileNotFoundError:
print(f"[-] Service 'service_name' not found on this system.")
except Exception as e:
print(f"[-] Error accessing registry: e")
if __name__ == "__main__":
check_active_webcam_vuln()
Mitigation & Recommendations
- Update to the patched version immediately
- If patching is not possible, manually fix the service path using
sc config:
sc config ActiveWebCamService binPath= "\"C:\Program Files\Active WebCam\webcam.exe\""
- Ensure that directories like
C:\are not writable by non-administrators - Monitor for suspicious executables in root/system folders
4.1 Privilege Escalation Vector
This is a local privilege escalation (LPE) vulnerability. It cannot be exploited remotely unless combined with another flaw (e.g., remote code execution that drops a low-priv shell). However, on shared machines, kiosks, or employee workstations, it is a serious risk.
Part 4: Real-World Impact and Risk Assessment
Step 3: Manual Registry Fix (If No Official Patch Available)
If a patch is not available (rare now), manually edit the Registry: active webcam 115 unquoted service path patched
- Open
regedit.exe - Navigate to
HKLM\SYSTEM\CurrentControlSet\Services\Active Webcam Service - Double-click
ImagePath - Add quotes:
"C:\Program Files\Active Webcam\awservice.exe" - Click OK and restart the service or reboot.
5.4 Additional Security Enhancements
In some patched versions, the vendor also: Mitigation & Recommendations
- Lowered service privileges where possible (from LocalSystem to LocalService or NetworkService).
- Changed the service start type from Automatic to Manual where feasible.
- Added integrity checking for the executable.
Context
This script checks for the specific vulnerability where the Active WebCam service binary path is stored in the Windows Registry without quotation marks. If a path (like C:\Program Files\Active WebCam\WebCam.exe) is unquoted, Windows attempts to resolve it by checking for executables at C:\Program.exe and C:\Program Files\Active.exe sequentially. An attacker could place a malicious executable at one of those locations to gain SYSTEM privileges. The "patched" state simply implies the path is correctly quoted (e.g., "C:\Program Files\Active WebCam\WebCam.exe"). Update to the patched version immediately If patching
Part 2: Active Webcam 115 – Software Overview
Active Webcam is a popular Windows application developed by Pysoft. It turns a PC into a network-enabled surveillance system, supporting motion detection, image capture, email alerts, and remote access. Version 115 was a significant release with added IP camera support and performance enhancements.
Like many utilities of its era (late 2010s to early 2020s), Active Webcam installed a core Windows service to allow background monitoring without requiring a logged-in user. This service was typically named:
Active Webcam Service
And its binary path, when inspected via sc qc or the Registry (HKLM\SYSTEM\CurrentControlSet\Services), revealed the flaw.