Bonjour Service ‘mDNSResponder.exe’ – Unquoted Service Path Privilege Escalation

• Exploit Database
• 37 阅读

• 作者： bios
  日期： 2024-07-16
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/52061/

• # Exploit Title: Bonjour Service - 'mDNSResponder.exe'Unquoted Service
  Path
  # Discovery by: bios
  # Discovery Date: 2024-15-07
  # Vendor Homepage: https://developer.apple.com/bonjour/
  # Tested Version: 3,0,0,10
  # Vulnerability Type: Unquoted Service Path
  # Tested on OS: Microsoft Windows 10 Home
  
  # Step to discover Unquoted Service Path:
  
  C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
  |findstr /i /v "c:\windows\\" |findstr /i /v """
  Bonjour Service
   Bonjour Service
  C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe
  Auto
  
  C:\>systeminfo
  
  Host Name: DESKTOP-HFBJOBG
  OS Name: Microsoft Windows 10 Home
  OS Version:10.0.19045 N/A Build 19045
  
  PS C:\Program Files\Blizzard\Bonjour Service> powershell -command
  "(Get-Command .\mDNSResponder.exe).FileVersionInfo.FileVersion"
  >>
  3,0,0,10
  
  #Exploit:
  
  There is an Unquoted Service Path in Bonjour Services (mDNSResponder.exe) .
  This may allow an authorized local user to insert arbitrary code into the
  unquoted service path and escalate privileges.