49 lines
No EOL
1.6 KiB
Text
49 lines
No EOL
1.6 KiB
Text
# Exploit Title: Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed - Unquoted Service Path Privilege Escalation
|
|
# Date: 10/19/2016
|
|
# Exploit Author: Joey Lane
|
|
# Version: 15.1.0.0096
|
|
# Tested on: Windows 7 Professional
|
|
|
|
The Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed service is installed with an unquoted service path.
|
|
This enables a local privilege escalation vulnerability.
|
|
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
|
|
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
|
|
This was tested on version 15.1.0.0096, but other versions may be affected as well.
|
|
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
C:\>sc qc AMPPALR3
|
|
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
|
|
|
|
SERVICE_NAME: AMPPALR3
|
|
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
|
|
START_TYPE : 2 AUTO_START (DELAYED)
|
|
|
|
ERROR_CONTROL : 1 NORMAL
|
|
|
|
BINARY_PATH_NAME : C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
|
|
|
|
LOAD_ORDER_GROUP :
|
|
|
|
TAG : 0
|
|
|
|
DISPLAY_NAME : Intelr Centrinor Wireless Bluetoothr + High Speed Service
|
|
|
|
DEPENDENCIES :
|
|
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
EXAMPLE:
|
|
|
|
Using the BINARY_PATH_NAME listed above as an example, an executable named
|
|
"Program.exe" could be placed in "C:\", and it would be executed as the
|
|
Local System user next time the service was restarted. |