Cobian Backup Service Unquoted Service Path

Cobian Backup Service versions prior to 11 suffer from an unquoted service path vulnerability.


MD5 | b8f96458302380ef50fd2ae4652d5c03

# Exploit Title: Cobian Backup Service < 11 -  Unquoted Service Path
# Discovery by: yunaranyancat
# Discovery Date: October 2020
# Vendor Homepage: https://www.cobiansoft.com/
# Software Link : https://files.cobiansoft.com/programs/cbSetup.exe
# Tested Version: 11
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10

# Info

It has been observed that Cobian Backup service ver. 11 and earlier suffers from Unquoted Service Path Vulnerability

# Vulnerability discovery:

Registry value : HKLM\SYSTEM\ControlSet001\Services\CobianBackup11

# Service info:

C:\>sc qc CobianBackup11
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: CobianBackup11
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 Normal
BINARY_PATH_NAME : C:\Program Files (x86)\Cobian Backup 11\cbService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cobian Backup 11 Gravity
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

# Exploit:

This vulnerability could permit executing code during startup or reboot with the escalated privileges.

Related Posts