Menu

Search for hundreds of thousands of exploits

"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation"

Author

Exploit author

Th3GundY

Platform

Exploit platform

windows

Release date

Exploit published date

2016-10-07

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# Exploit Title: BlueStacks 2.5.55 Unquoted Service Path Privilege Escalation
# Date: 24/09/2016
# Author: Yunus YILDIRIM (@Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH)
# Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Category: local
# Vendor Homepage: http://www.bluestacks.com/
# Version: Software Version <= 2.5.55
# Tested on: Windows 7-10 x86/x64

1. Description

BlueStacks Log Rotator Service (BstHdLogRotatorSvc) installs as a service with 
an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.


2. Proof of Concept

C:\>sc qc BstHdLogRotatorSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: BstHdLogRotatorSvc
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : BlueStacks Log Rotator Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem		
		
		
3. Exploit:
 
A successful attempt would require the local attacker must insert an executable file
in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.


Additional notes :

Fixed in version v2.5.61

Vulnerability Disclosure Timeline:
=========================
24/09/2016   -   Contact With Vendor
28/09/2016   -   Vendor Response
04/10/2016   -   Release Fixed Version
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-05-28 "QNAP QTS and Photo Station 6.0.3 - Remote Command Execution" webapps php Th3GundY
2017-02-13 "PHP Marketplace Script - SQL Injection" webapps php Th3GundY
2017-02-04 "Itech Job Portal Script 9.13 - Multiple Vulnerabilities" webapps php Th3GundY
2017-02-03 "Itech Multi Vendor Script 6.49 - SQL Injection" webapps php Th3GundY
2016-11-18 "FTPShell Client 5.24 - 'PWD' Remote Buffer Overflow" remote windows Th3GundY
2016-10-07 "BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation" local windows Th3GundY
2016-10-06 "Comodo Dragon Browser - Unquoted Service Path Privilege Escalation" local windows Th3GundY
2016-10-06 "Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation" local windows Th3GundY 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected