what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ExpressVPN Unquoted Service Path Privilege Escalation

ExpressVPN Unquoted Service Path Privilege Escalation
Posted Jul 14, 2019
Authored by Und3rgr0und

ExpressVPN suffers from an unquoted service path privilege escalation vulnerability.

tags | advisory
SHA-256 | 4774e3e6be4395f7b1306b2a2c666f2e3b35412790d29593330851e83b8b9c6e

ExpressVPN Unquoted Service Path Privilege Escalation

Change Mirror Download
********************************************************
# Exploit Title : ExpressVPN - Unquoted Service Path Privilege Escalation
# Vendor Homepage : www.expressvpn.com
# Exploit Author: Iran Cyber Security Group
# Date : 2019-07-14
# Tested on : Win10
# Discovered By : Und3rgr0und
# Our Team : www.iran-cyber.net
*******************************************************

# Description :

An older access system gives users access to up levels access. ExpressVPN
installs a service ("ExpressVPNService") with an unquoted service path running with SYSTEM privileges.
This allows any non-privileged local user to execute arbitrary code with SYSTEM privileges.

# POC :

C:\xpl\Und3rgr0und>sc qc ExpressVPNService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ExpressVPNService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\ExpressVPN\bootstrap\amd64\nssm.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ExpressVPN Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

*******************************************************
Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    50 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    7 Files
  • 30
    Mar 30th
    31 Files
  • 31
    Mar 31st
    15 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close