Advanced Host Monitor v12.56 – Unquoted Service Path

• Exploit Database
• 30 阅读

• 作者： Mr Empy
  日期： 2023-05-02
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51412/

• # Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path
  # Date: 2023-04-23
  # CVE: CVE-2023-2417
  # Exploit Author: MrEmpy
  # Vendor Homepage: https://www.ks-soft.net
  # Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm
  # Version: > 12.56
  # Tested on: Windows 10 21H2
  
  
  Title:
  ================
  Advanced Host Monitor > 12.56 - Unquoted Service Path
  
  
  Summary:
  ================
  An unquoted service path vulnerability has been discovered in Advanced Host
  Monitor version > 12.56 affecting the executable "C:\Program Files
  (x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when
  the service's path is misconfigured, allowing an attacker to run a
  malicious file instead of the legitimate executable associated with the
  service.
  
  An attacker with local user privileges could exploit this vulnerability to
  replace the legitimate RMA-Win\rma_active.exe service executable with a
  malicious file of the same name and located in a directory that has a
  higher priority than the legitimate directory. That way, when the service
  starts, it will run the malicious file instead of the legitimate
  executable, allowing the attacker to execute arbitrary code, gain
  unauthorized access to the compromised system, or stop the service from
  functioning.
  
  To exploit this vulnerability, an attacker would need local access to the
  system and the ability to write and replace files on the system. The
  vulnerability can be mitigated by correcting the service path to correctly
  quote the full path of the executable, including quotation marks.
  Furthermore, it is recommended that users keep software updated with the
  latest security updates and limit physical and network access to their
  systems to prevent malicious attacks.
  
  
  Proof of Concept:
  ================
  
  C:\>sc qc ActiveRMAService
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: ActiveRMAService
  TYPE : 110WIN32_OWN_PROCESS (interactive)
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Program Files
  (x86)\HostMonitor\RMA-Win\rma_active.exe /service
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : KS Active Remote Monitoring Agent
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem