77b46b2163
13 new exploits PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow (PoC) PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow PHP FFI Extension 5.0.5 - Local Safe_mode Bypass Exploit PHP FFI Extension 5.0.5 - Local Safe_mode Bypass PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow (PoC) PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop Exploit Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop Apple QuickTime < 7.2 - SMIL Remote Integer Overflow (PoC) Apple QuickTime < 7.2 - SMIL Remote Integer Overflow Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow Mercury/32 4.52 IMAPD - SEARCH Command Authenticated Overflow Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow (PoC) Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow Integramod nederland 1.4.2 - Remote File Inclusion Integramod Nederland 1.4.2 - Remote File Inclusion CNDSOFT 2.3 - Cross-Site Request Forgery / Arbitrary File Upload NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation NETGATE Registry Cleaner 16.0.205 - Unquoted Service Path Privilege Escalation NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation The Unarchiver 3.11.1 - '.tar.Z' Crash PoC XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation Intel(R) Management Engine Components 8.0.1.1399 - Unquoted Service Path Privilege Escalation Lenovo RapidBoot HDD Accelerator 1.00.0802 - Unquoted Service Path Privilege Escalation Lenovo Slim USB Keyboard 1.09 - Unquoted Service Path Privilege Escalation Vembu StoreGrid 4.0 - Unquoted Service Path Privilege Escalation Lenovo ThinkVantage Communications Utility 3.0.42.0 - Unquoted Service Path Privilege Escalation Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed 15.1.0.0096 - Unquoted Service Path Privilege Escalation Intel(R) PROSet/Wireless WiFi Software 15.01.1000.0927 - Unquoted Service Path Privilege Escalation PDF Complete 4.1.12 Corporate Edition - Unquoted Service Path Privilege Escalation Realtek High Definition Audio Driver 6.0.1.6730 - Unquoted Service Path Privilege Escalation
51 lines
1.6 KiB
Text
Executable file
51 lines
1.6 KiB
Text
Executable file
# Exploit Title: Intel(R) Management Engine Components - Unquoted Service Path Privilege Escalation
|
|
# Date: 10/19/2016
|
|
# Exploit Author: Joey Lane
|
|
# Version: 8.0.1.1399
|
|
# Tested on: Windows 7 Professional
|
|
|
|
The Intel(R) Management and Security Application Local Management Service (LMS) is installed with an unquoted service path.
|
|
This enables a local privilege escalation vulnerability.
|
|
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
|
|
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
|
|
|
|
This was tested on version 8.0.1.1399, but other versions may be affected
|
|
as well.
|
|
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
C:\>sc qc LMS
|
|
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
|
|
|
|
SERVICE_NAME: LMS
|
|
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
|
|
START_TYPE : 2 AUTO_START (DELAYED)
|
|
|
|
ERROR_CONTROL : 1 NORMAL
|
|
|
|
BINARY_PATH_NAME : C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
|
|
|
|
LOAD_ORDER_GROUP :
|
|
|
|
TAG : 0
|
|
|
|
DISPLAY_NAME : Intel(R) Management and Security Application Local Management Service
|
|
|
|
DEPENDENCIES :
|
|
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
EXAMPLE:
|
|
|
|
Using the BINARY_PATH_NAME listed above as an example, an executable named
|
|
"Program.exe" could be placed in "C:\", and it would be executed as the
|
|
Local System user next time the service was restarted.
|