MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path

vendor:

ShadowMaker

by:

Thalia Nieto

7.8

CVSS

HIGH

Unquoted Service Path

426

CWE

Product Name: ShadowMaker

Affected Version From: 3.2

Affected Version To: 3.2

Patch Exists: NO

Related CWE: N/A

CPE: a:minitool:shadowmaker:3.2

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10

2021

MiniTool ShadowMaker 3.2 – ‘MTAgentService’ Unquoted Service Path

MiniTool ShadowMaker 3.2 is vulnerable to an unquoted service path vulnerability. This vulnerability can be exploited by an attacker to gain elevated privileges on the system. The vulnerability exists due to the MTAgentService service not being properly quoted. An attacker can exploit this vulnerability by placing malicious files in the same directory as the MTAgentService service executable. When the service is started, the malicious files will be executed with SYSTEM privileges.

Mitigation:

Ensure that all services are properly quoted and that no malicious files are placed in the same directory as the service executable.

Source

Exploit-DB raw data:

# Exploit Title: MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path
# Discovery by: Thalia Nieto
# Discovery Date: 02/01/21
# Vendor Homepage: https://www.minitool.com
# Software Link: https://www.minitool.com/backup/thanks-download.html?v=sm-free&r=download-center/
# Tested Version: 3.2
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10

# Step to discover Unquoted Service Path: 

C:\>wmic service get name, pathname, displayname, name | findstr /i "MTAgentService"

MTAgentService	MTAgentService	C:\Program Files\MiniTool ShadowMaker\AgentService.exe

# Service info:

C:\>sc qc "MTAgentService"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: MTAgentService
        TIPO               : 110  WIN32_OWN_PROCESS (interactive)
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files\MiniTool ShadowMaker\AgentService.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : MTAgentService
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem