Search...

EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path

2020-02-14T00:00:00

ID EDB-ID:48069
Type exploitdb
Reporter Exploit-DB
Modified 2020-02-14T00:00:00

Description

                                        
                                            # Exploit Title: EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-02-13
# Vendor Homepage: https://epson.com/support/easymp-network-projection-v2-86-for-windows
# Software Link :https://ftp.epson.com/drivers/epson16189.exe
# SEIKO EPSON CORP
# Tested Version: 2.81
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home x64 en

# Step to discover Unquoted Service Path: 


C:\&gt;wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "EPSON" | findstr /i /v """
EMP_NSWLSV                                                EMP_NSWLSV                                C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe                                                                                                                                                                                                   Auto

C:\&gt;sc qc "EMP_NSWLSV"
[SC] QueryServiceConfig SUCCESS
        SERVICE_NAME: EMP_NSWLSV                                                                                                                                                                    
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : EMP_NSWLSV
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path 
# undetected by the OS or other security applications where it could potentially be executed during 
# application startup or reboot. If successful, the local user's code would execute with the elevated 
# privileges of the application.

JSON Vulners Source

Initial Source

{"id": "EDB-ID:48069", "type": "exploitdb", "bulletinFamily": "exploit", "title": "EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path", "description": "", "published": "2020-02-14T00:00:00", "modified": "2020-02-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/48069", "reporter": "Exploit-DB", "references": [], "cvelist": [], "lastseen": "2020-02-14T09:32:12", "viewCount": 74, "enchantments": {"dependencies": {"references": [], "modified": "2020-02-14T09:32:12", "rev": 2}, "score": {"value": 0.7, "vector": "NONE", "modified": "2020-02-14T09:32:12", "rev": 2}, "vulnersScore": 0.7}, "sourceHref": "https://www.exploit-db.com/download/48069", "sourceData": "# Exploit Title: EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path\r\n# Discovery by: Roberto Pi\u00f1a\r\n# Discovery Date: 2020-02-13\r\n# Vendor Homepage: https://epson.com/support/easymp-network-projection-v2-86-for-windows\r\n# Software Link :https://ftp.epson.com/drivers/epson16189.exe\r\n# SEIKO EPSON CORP\r\n# Tested Version: 2.81\r\n# Vulnerability Type: Unquoted Service Path\r\n# Tested on OS: Windows 10 Home x64 en\r\n\r\n# Step to discover Unquoted Service Path: \r\n\r\n\r\nC:\\>wmic service get name, displayname, pathname, startmode | findstr /i \"Auto\" | findstr /i /v \"C:\\Windows\\\\\" | findstr /i \"EPSON\" | findstr /i /v \"\"\"\r\nEMP_NSWLSV EMP_NSWLSV C:\\Program Files (x86)\\EPSON Projector\\EasyMP Network Projection V2\\EMP_NSWLSV.exe Auto\r\n\r\nC:\\>sc qc \"EMP_NSWLSV\"\r\n[SC] QueryServiceConfig SUCCESS\r\n SERVICE_NAME: EMP_NSWLSV \r\n TYPE : 110 WIN32_OWN_PROCESS (interactive)\r\n START_TYPE : 2 AUTO_START\r\n ERROR_CONTROL : 1 NORMAL\r\n BINARY_PATH_NAME : C:\\Program Files (x86)\\EPSON Projector\\EasyMP Network Projection V2\\EMP_NSWLSV.exe\r\n LOAD_ORDER_GROUP :\r\n TAG : 0\r\n DISPLAY_NAME : EMP_NSWLSV\r\n DEPENDENCIES : RPCSS\r\n SERVICE_START_NAME : LocalSystem\r\n\r\n#Exploit:\r\n# A successful attempt would require the local user to be able to insert their code in the system root path \r\n# undetected by the OS or other security applications where it could potentially be executed during \r\n# application startup or reboot. If successful, the local user's code would execute with the elevated \r\n# privileges of the application.", "osvdbidlist": []}

EPSON EasyMP Network Projection 2.81 - &#039;EMP_NSWLSV&#039; Unquoted Service Path

Description

EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path