10-Strike Network Inventory Explorer 8.54 Unquoted Service Path

10-Strike Network Inventory Explorer version 8.54 suffers from a srvInventoryWebServer unquoted service path vulnerability.


MD5 | 33e492edb7e3947d996da9a4475106b2

# Exploit Title: 10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path
# Date: 2020-03-24
# Author: Felipe Winsnes
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Version: 8.54
# Tested on: Windows 7

# Step to discover Unquoted Service Path:

C:\Users\IEUser>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
srvInventoryWebServer srvInventoryWebServer C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe Auto

# Service info:

C:\>sc qc srvInventoryWebServer
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: srvInventoryWebServer
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : srvInventoryWebServer
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

C:\>

# Exploit:

# A successful attempt would require the local user to be able to insert their code in the
# system root path undetected by the OS or other security applications where it could
# potentially be executed during application startup or reboot. If successful, the local
# user's code would execute with the elevated privileges of the application.

Related Posts