UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path

vendor:

UDisk Monitor Z5 Phone

by:

Edgar Carrillo Egea

7.8

CVSS

HIGH

Unquoted Service Path

CWE

Product Name: UDisk Monitor Z5 Phone

Affected Version From: 2.0.3.0

Affected Version To: 2.0.3.0

Patch Exists: NO

Related CWE:

CPE: o:microsoft:windows_10:10.0.19044

Metasploit:

Other Scripts:

Platforms Tested: Microsoft Windows 10 Pro x64

2022

UDisk Monitor Z5 Phone – ‘MonServiceUDisk.exe’ Unquoted Service Path

The UDisk Monitor Z5 Phone service is vulnerable to an unquoted service path vulnerability. This vulnerability allows an attacker to gain elevated privileges on the system. The service is installed with the Android_USB_Driver_Z package and is set to start automatically. The service path is not quoted, allowing an attacker to inject malicious code into the path.

Mitigation:

Ensure that all service paths are properly quoted. Additionally, ensure that all services are running with the least privileges necessary.

Source

Exploit-DB raw data:

# Exploit Title: UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe'  Unquoted Service Path
# Discovery by: Edgar Carrillo Egea // https://twitter.com/ecarrilloeg
# Discovery Date: 2022-04-24
# Vendor Homepage: https://www.zte.com.cn/global/
# Tested Version: 2.0.3.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Pro x64

# Step to discover Unquoted Service Path:

C:\Users\edgar>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
UDisk Monitor Z5 Phone                                                                                                             UDisk Monitor Z5 Phone                      C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe                                                                     Auto

C:\Users\edgar>sc qc "UDisk Monitor Z5 Phone"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: UDisk Monitor Z5 Phone
        TIPO               : 110  WIN32_OWN_PROCESS (interactive)
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : UDisk Monitor Z5 Phone
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

C:\Users\edgar>systeminfo

Nombre de host:                            DESKTOP-810865D
Nombre del sistema operativo:              Microsoft Windows 10 Pro
Versión del sistema operativo:             10.0.19044 N/D Compilación 19044