Spoofer 1.4.6 Privilege Escalation / Unquoted Service Path

2022.03.31
Credit: Asim Sattar
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264

# Exploit Title: Spoofer 1.4.6 – Local Privilege Escalation via Unquoted Service Path # Date: 24/01/2022 # Exploit Author: Asim Sattar (@M_Asim_1) # Vendor Homepage: https://www.caida.org/projects/spoofer/ # Software Link: https://www.caida.org/projects/spoofer/downloads/Spoofer-1.4.6-win32.exe # Version: 1.4.6 # Tested: Windows 10 (x64) # CVE: CVE-2021-46443 Description: ------------- Caida Spoofer 1.4.6 installs a service (spoofer-scheduler) with an unquoted service path. Since this service is running as SYSTEM, this creates a local privilege escalation vulnerability. To properly exploit this vulnerability, a local attacker can insert an executable in the path of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. ------------------ Proof of Concept: ------------------ C:\Users\asim.sattar>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ Spoofer Scheduler spoofer-scheduler C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe Auto C:\Users\asim.sattar>sc qc "spoofer-scheduler" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: spoofer-scheduler TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Spoofer Scheduler DEPENDENCIES : tcpip SERVICE_START_NAME : LocalSystem Regards, Asim Sattar


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top