Atomic Alarm Clock 6.3 Unquoted Service Path

Atomic Alarm Clock version 6.3 suffers from an unquoted service path vulnerability.


MD5 | 9772a437661ceaa5d2a847108d660eac

#Exploit Title: Atomic Alarm Clock (x86) - Local Privilege Escalation
#Exploit Author: Bobby Cooke
#Date: 04/17/2020
#Vendor Homepage: http://www.drive-software.com
#Software Link: http://www.drive-software.com/download/ataclock.exe
#Version: 6.3
#Tested On: Windows 10 Pro 1909 (32-bit)
#Vulnerability Type:
Local Privilege Escalation by unquoted service path owned by 'LocalSystem'.
#Vulnerability Description:
The Atomic Alarm Clock service "timeserv.exe" will load an arbitrary EXE and execute it with SYSTEM integrity. This security misconfiguration by the vendor can be exploited locally or as part of an attack chain. By placing a file named "Program.exe" on the root drive, an attacker can obtain persistent arbitrary code execution. Under normal environmental conditions, this exploit ensures escalation of privileges from Admin to SYSTEM.

C:\Users\boku>sc qc AtomicAlarmClock
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: AtomicAlarmClock
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Atomic Alarm Clock\timeserv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Atomic Alarm Clock Time
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

Related Posts