ExpressVPN - Unquoted Service Path Privilege Escalation

2019.07.14
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

******************************************************** # Exploit Title : ExpressVPN - Unquoted Service Path Privilege Escalation # Vendor Homepage : www.expressvpn.com # Exploit Author: Iran Cyber Security Group # Date : 2019-07-14 # Tested on : Win10 # Discovered By : Und3rgr0und # Our Team : www.iran-cyber.net ******************************************************* # Description : An older access system gives users access to up levels access. ExpressVPN installs a service ("ExpressVPNService") with an unquoted service path running with SYSTEM privileges. This allows any non-privileged local user to execute arbitrary code with SYSTEM privileges. # POC : C:\xpl\Und3rgr0und>sc qc ExpressVPNService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ExpressVPNService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\ExpressVPN\bootstrap\amd64\nssm.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ExpressVPN Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem *******************************************************


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top