Clean Master 1.0 - Unquoted Service Path Privilege Escalation

2016-10-09 13:42:14
Posted by: ZwX-000

Document Title:
===============
Clean Master 1.0 - Unquoted Service Path Privilege Escalation


Release Date:
=============
2016-10-02


Vulnerability Disclosure Timeline:
==================================
2016-10-02 : Discovery of the Vulnerability
2016-10-02 : Contact the Vendor (No Response)
2016-10-05 : Public Disclosure


Product & Service Introduction:
===============================
Clean Master Cleaner is a powerful application dedicated to the cleaning of certain content Android terminal. It is able to remove all traces of activities performed on the Smartphone to free up space and increase performance. This app is able to best improve the security system of the device.

(Copy of the Vendor Homepage: http://www.cmcm.com/ )


Affected Product(s):
====================
Product: Clean Master v1.0 - Software


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
The application suffers from a search path issue unquoted impact on Clean Master programe. This could potentially allow
authorized but unprivileged local user to execute arbitrary code with system privileges on the system.


Proof of Concept (PoC):
=======================
The issue can be exploited by local attackers with restricted system user account or network access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

--- Privileges Logs ---
C:\Program Files\cmcm\Clean Master>sc qc cmcore
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: cmcore
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "c:\program files\cmcm\Clean Master\cmcore.exe" /service cmcore
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Clean Master Core Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


[+] Disclaimer [+]
===================
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.


Domain: www.zwx.fr
Contact: [email protected]
Social: twitter.com/XSSed.fr
Feeds: www.zwx.fr/feed/
Advisory: www.vulnerability-lab.com/show.php?user=ZwX
packetstormsecurity.com/files/author/12026/
cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/
0day.today/author/27461


Copyright © 2016 | ZwX - Security Researcher (Software & web application)

Fixes

No fixes

In order to submit a new fix you need to be registered.