Bug: Security Issue - HASS Agent Satellite Service - Unquoted Service Path

[yakidd]

Describe the bug
A Nessus scan surfaces the following issue relating to the install of HASS Agent:
Nessus found the following service with an untrusted path :
hass.agent.svc : C:\Program Files\HASS.Agent Satellite Service\Service\HASS.Agent.Satellite.Service.exe

This issue occurs when a registered service has an unquoted filepath in the ImagePath for the services Registry entry, opening up the possiblity of SYSTEM level privilage escalation.

This fix is fairly simple - when registering the service, ensure the ImagePath is surrounded by double-quotes:
"C:\Program Files\HASS.Agent Satellite Service\Service\HASS.Agent.Satellite.Service.exe"
as opposed to:
C:\Program Files\HASS.Agent Satellite Service\Service\HASS.Agent.Satellite.Service.exe

To Reproduce
Steps to reproduce the behavior:

1. Open regedit
2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hass.agent.svc
3. Observe the Key "ImagePath"

Expected behavior
Service ImagePath should be registered with double-quotes surrounding it.

Screenshots

Misc info (please complete the following information):

• Windows build (ideally screenshot/info of winver.exe output):

• Windows' UI language: EN-GB
• HASS.Agent version: 2.1.0

Please check what's applicable (multiple answers possible):

• Installed via installer
• Installed manually
• [] Problem occurs in HASS.Agent
• Problem occurs in Satellite Service

[amadeo-alex]

That is actually interesting, didn't know that such vuln exists - thank you for reporting!
I'll check if changing this won't break anything and then adjust the installer & reinstall option within HASS.Agent.