668314bbda
19 changes to exploits/shellcodes/ghdb FS-S3900-24T4S - Privilege Escalation Virtual Reception v1.0 - Web Server Directory Traversal admidio v4.2.5 - CSV Injection Companymaps v8.0 - Stored Cross Site Scripting (XSS) GLPI 9.5.7 - Username Enumeration OpenEMR v7.0.1 - Authentication credentials brute force PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS) PHPJabbers Simple CMS 5.0 - SQL Injection PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS) phpMyFAQ v3.1.12 - CSV Injection projectSend r1605 - Private file download revive-adserver v5.4.1 - Cross-Site Scripting (XSS) Serendipity 2.4.0 - File Inclusion RCE SoftExpert (SE) Suite v2.1.3 - Local File Inclusion Advanced Host Monitor v12.56 - Unquoted Service Path MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control
59 lines
No EOL
2.3 KiB
Text
59 lines
No EOL
2.3 KiB
Text
# Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path
|
|
# Date: 2023-04-23
|
|
# CVE: CVE-2023-2417
|
|
# Exploit Author: MrEmpy
|
|
# Vendor Homepage: https://www.ks-soft.net
|
|
# Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm
|
|
# Version: > 12.56
|
|
# Tested on: Windows 10 21H2
|
|
|
|
|
|
Title:
|
|
================
|
|
Advanced Host Monitor > 12.56 - Unquoted Service Path
|
|
|
|
|
|
Summary:
|
|
================
|
|
An unquoted service path vulnerability has been discovered in Advanced Host
|
|
Monitor version > 12.56 affecting the executable "C:\Program Files
|
|
(x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when
|
|
the service's path is misconfigured, allowing an attacker to run a
|
|
malicious file instead of the legitimate executable associated with the
|
|
service.
|
|
|
|
An attacker with local user privileges could exploit this vulnerability to
|
|
replace the legitimate RMA-Win\rma_active.exe service executable with a
|
|
malicious file of the same name and located in a directory that has a
|
|
higher priority than the legitimate directory. That way, when the service
|
|
starts, it will run the malicious file instead of the legitimate
|
|
executable, allowing the attacker to execute arbitrary code, gain
|
|
unauthorized access to the compromised system, or stop the service from
|
|
functioning.
|
|
|
|
To exploit this vulnerability, an attacker would need local access to the
|
|
system and the ability to write and replace files on the system. The
|
|
vulnerability can be mitigated by correcting the service path to correctly
|
|
quote the full path of the executable, including quotation marks.
|
|
Furthermore, it is recommended that users keep software updated with the
|
|
latest security updates and limit physical and network access to their
|
|
systems to prevent malicious attacks.
|
|
|
|
|
|
Proof of Concept:
|
|
================
|
|
|
|
C:\>sc qc ActiveRMAService
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME: ActiveRMAService
|
|
TYPE : 110 WIN32_OWN_PROCESS (interactive)
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : C:\Program Files
|
|
(x86)\HostMonitor\RMA-Win\rma_active.exe /service
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : KS Active Remote Monitoring Agent
|
|
DEPENDENCIES :
|
|
SERVICE_START_NAME : LocalSystem |