Skip to content
/ CVE-2024-27462 Public

Wondershare MobileTrans 4.5.6 - Unquoted Service Path

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Alaatk/CVE-2024-27462

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 

Repository files navigation

CVE-2024-27462

Wondershare MobileTrans 4.5.6 - Unquoted Service Path

Description:

Wondershare Filmora versions 4.5.6 and lower contain multiple unquoted service path which allow attackers to escalate privileges to the system level.

Impacted service(s)

WsAppService3 service binary Path C:\Program Files (x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe ElevationService service binary Path C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe

Services Permissions

C:\Windows\system32>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Wondershare Driver Install Service help              ElevationService        C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe 	Auto
Wondershare Application Update Service 3.0           WsAppService3           C:\Program Files (x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe 	Auto

C:\Windows\system32>sc qc WsAppService3
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WsAppService3
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Wondershare Application Update Service 3.0
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

C:\Windows\system32>sc qc ElevationService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ElevationService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Wondershare Driver Install Service help
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Attack Vector

If a malicious user has the write permissions in any of the spaced paths, they can drop a malicious executable in that folder and execute code as SYSTEM. For example, consider we have a low privileged user with write permissions to C:, then, we can drop a malicious executable named Program.exe at the path C:\ and upon reboot, the service will execuete the payload as SYSTEM.

Discovered by:

  • Fabrizio Noviello of Deloitte Belgium
  • Alaa Kachouh

About

Wondershare MobileTrans 4.5.6 - Unquoted Service Path

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published