exploit the possibilities

Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed 15.1.0.0096 Privilege Escalation

Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed 15.1.0.0096 Privilege Escalation
Posted Oct 20, 2016
Authored by Joey Lane

Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed version 15.1.0.0096 suffers from an unquoted service path privilege escalation vulnerability.

tags | exploit
MD5 | d009d78635ae7638c7f9d2f6ec42456f

Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed 15.1.0.0096 Privilege Escalation

Change Mirror Download
# Exploit Title: Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 15.1.0.0096
# Tested on: Windows 7 Professional

The Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed service is installed with an unquoted service path.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
This was tested on version 15.1.0.0096, but other versions may be affected as well.


---------------------------------------------------------------------------

C:\>sc qc AMPPALR3

[SC] QueryServiceConfig SUCCESS



SERVICE_NAME: AMPPALR3

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START (DELAYED)

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Intelr Centrinor Wireless Bluetoothr + High Speed Service

DEPENDENCIES :

SERVICE_START_NAME : LocalSystem

---------------------------------------------------------------------------


EXAMPLE:

Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.


Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close