Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path

vendor:

Brother BRAgent

by:

Brian Rodriguez

7,8

CVSS

HIGH

Unquoted Service Path

CWE

Product Name: Brother BRAgent

Affected Version From: 1.38

Affected Version To: 1.38

Patch Exists: NO

Related CWE: N/A

CPE: a:brother:brother_bragent:1.38

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 10 Enterprise 64 bits

2021

Brother BRAgent 1.38 – ‘WBA_Agent_Client’ Unquoted Service Path

Brother BRAgent 1.38 is vulnerable to an unquoted service path vulnerability. This vulnerability can be exploited by an attacker to gain elevated privileges on the system. The vulnerability exists due to the service path of the Brother BRAgent service not being properly quoted. An attacker can exploit this vulnerability by creating a malicious executable with the same name as the service path and placing it in the same directory. When the service is started, the malicious executable will be executed with SYSTEM privileges.

Mitigation:

Ensure that all service paths are properly quoted. Additionally, ensure that all services are running with the least privileges necessary.

Source

Exploit-DB raw data:

# Exploit Title: Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 14-06-2021
# Vendor Homepage: https://brother.com
# Software Link: https://support.brother.com/g/b/downloadhowto.aspx?c=us&lang=en&prod=ads1000w_us&os=10013&dlid=dlf002778_000&flang=4&type3=46
# Tested Version: 1.38
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise 64 bits

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Brother BRAgent    WBA_Agent_Client   C:\Program Files
(x86)\Brother\BRAgent\BRAgtSrv.exe   Auto

C:\>sc qc WBA_Agent_Client
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: WBA_Agent_Client
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\Brother\BRAgent\BRAgtSrv.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Brother BRAgent
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem