DB: 2021-05-21

3 changes to exploits/shellcodes ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path
2021-05-21 05:01:54 +00:00 · 2021-05-21 05:01:54 +00:00 · eeec67ddf9
commit eeec67ddf9
parent 2f8f6dffbd
4 changed files with 113 additions and 0 deletions
--- a/exploits/windows/local/49888.txt
+++ b/exploits/windows/local/49888.txt
@ -0,0 +1,35 @@
+# Exploit Title: ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path
+# Date: 2020-05-19
+# Exploit Author: Alejandra Sánchez
+# Vendor Homepage: www.asus.com
+# Version: 1.0.94.0
+# Tested on: Windows 10 Pro x64 es
+
+# Description:
+ATK Hotkey 1.0.94.0 suffers from an unquoted search path issue impacting the service 'AsHidService'. This could potentially allow an 
+authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require 
+the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could 
+potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
+of the application.
+
+# Prerequisites
+Local, Non-privileged Local User with restart capabilities
+
+# Details
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+ASUS HID Access Service               AsHidService               C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsHidSrv.exe               Auto
+
+C:\>sc qc "AsHidService"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: AsHidService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsHidSrv.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : ASUS HID Access Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
--- a/exploits/windows/local/49889.txt
+++ b/exploits/windows/local/49889.txt
@ -0,0 +1,38 @@
+# Exploit Title: Acer Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe'  Unquoted Service Path
+# Discovery by: Emmanuel Lujan
+# Discovery Date: 2021-05-19
+# Vendor Homepage: https://www.acer.com/ac/en/US/content/home
+# Tested Version: 3.0.0.99
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 7 Home Premium x64 
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+NTI IScheduleSvc                                                        NTI ISch
+eduleSvc                              C:\Program Files (x86)\NTI\Acer Backup Man
+ager\IScheduleSvc.exe                                     Auto
+
+
+# Service info:
+
+C:\>sc qc "NTI IScheduleSvc"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: NTI IScheduleSvc
+        TYPE               : 110  WIN32_OWN_PROCESS <interactive>
+        START_TYPE         : 2   AUTO_START  
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Acer Backup Manager\IScheduleSvc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : NTI IScheduleSvc
+        DEPENDENCIES       :                            
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other
+ security applications where it could potentially be executed during application startup or reboot. If successful, the local user's 
+code would execute with the elevated privileges of the application.
--- a/exploits/windows/local/49890.txt
+++ b/exploits/windows/local/49890.txt
@ -0,0 +1,37 @@
+# Exploit Title: Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe'  Unquoted Service Path
+# Discovery by: Emmanuel Lujan
+# Discovery Date: 2020-11-26
+# Vendor Homepage: https://www.acer.com/ac/en/US/content/home
+# Tested Version: 1.2.3500.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 7 Home Premium x64 
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Live Updater Service                                                    Live Upd
+ater Service                          C:\Program Files\Acer\Acer Updater\Updater
+Service.exe                                               Auto
+
+# Service info:
+
+C:\>sc qc "Live Updater Service"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Live updater Service
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START  
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Acer\Acer Updater\UpdaterService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Live Updater Service
+        DEPENDENCIES       :                            
+        SERVICE_START_NAME : LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other
+ security applications where it could potentially be executed during application startup or reboot. If successful, the local user's 
+code would execute with the elevated privileges of the application.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11330,6 +11330,9 @@ id,file,description,date,author,type,platform,port
 49864,exploits/windows_x86-64/local/49864.js,"Firefox 72 IonMonkey - JIT Type Confusion",2021-05-13,"Forrest Orr",local,windows_x86-64,
 49872,exploits/windows/local/49872.js,"Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free",2021-05-17,SlidingWindow,local,windows,
 49882,exploits/windows/local/49882.ps1,"Visual Studio Code 1.47.1 - Denial of Service (PoC)",2021-05-19,"H.H.A.Ravindu Priyankara",local,windows,
+49888,exploits/windows/local/49888.txt,"ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path",2021-05-20,"Alejandra Sánchez",local,windows,
+49889,exploits/windows/local/49889.txt,"Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path",2021-05-20,"Emmanuel Lujan",local,windows,
+49890,exploits/windows/local/49890.txt,"Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe'  Unquoted Service Path",2021-05-20,"Emmanuel Lujan",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139