38 lines
No EOL
1.5 KiB
Text
38 lines
No EOL
1.5 KiB
Text
# Exploit Title: Lenovo RapidBoot HDD Accelerator - Unquoted Service Path Privilege Escalation
|
|
# Date: 10/19/2016
|
|
# Exploit Author: Joey Lane
|
|
# Version: 1.00.0802
|
|
# Tested on: Windows 7 Professional
|
|
|
|
The Lenovo RapidBoot HDD Accelerator service is installed with an unquoted service path.
|
|
This enables a local privilege escalation vulnerability.
|
|
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
|
|
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
|
|
|
|
This was tested on version 1.00.0802, but other versions may be affected as well.
|
|
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
C:\>sc qc FastbootService
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME: FastbootService
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : FastbootService
|
|
DEPENDENCIES : RPCSS
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
---------------------------------------------------------------------------
|
|
|
|
|
|
EXAMPLE:
|
|
|
|
Using the BINARY_PATH_NAME listed above as an example, an executable named
|
|
"Program.exe" could be placed in "C:\", and it would be executed as the
|
|
Local System user next time the service was restarted. |