/CVE-2024-27462

Wondershare MobileTrans 4.5.6 - Unquoted Service Path

CVE-2024-27462

Wondershare MobileTrans 4.5.6 - Unquoted Service Path

Description:

Wondershare Filmora versions 4.5.6 and lower contain multiple unquoted service path which allow attackers to escalate privileges to the system level.

Impacted service(s)

WsAppService3 service binary Path C:\Program Files (x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe ElevationService service binary Path C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe

Services Permissions

C:\Windows\system32>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Wondershare Driver Install Service help              ElevationService        C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe 	Auto
Wondershare Application Update Service 3.0           WsAppService3           C:\Program Files (x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe 	Auto

C:\Windows\system32>sc qc WsAppService3
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WsAppService3
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Wondershare Application Update Service 3.0
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

C:\Windows\system32>sc qc ElevationService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ElevationService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Wondershare Driver Install Service help
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Attack Vector

If a malicious user has the write permissions in any of the spaced paths, they can drop a malicious executable in that folder and execute code as SYSTEM. For example, consider we have a low privileged user with write permissions to C:, then, we can drop a malicious executable named Program.exe at the path C:\ and upon reboot, the service will execuete the payload as SYSTEM.

Discovered by:

  • Fabrizio Noviello of Deloitte Belgium
  • Alaa Kachouh