what you don't know can hurt you

ExpressVPN Unquoted Service Path Privilege Escalation

ExpressVPN Unquoted Service Path Privilege Escalation
Posted Jul 14, 2019
Authored by Und3rgr0und

ExpressVPN suffers from an unquoted service path privilege escalation vulnerability.

tags | advisory
MD5 | 888b100d877b52c3022efc827bcbdd49

ExpressVPN Unquoted Service Path Privilege Escalation

Change Mirror Download
********************************************************
# Exploit Title : ExpressVPN - Unquoted Service Path Privilege Escalation
# Vendor Homepage : www.expressvpn.com
# Exploit Author: Iran Cyber Security Group
# Date : 2019-07-14
# Tested on : Win10
# Discovered By : Und3rgr0und
# Our Team : www.iran-cyber.net
*******************************************************

# Description :

An older access system gives users access to up levels access. ExpressVPN
installs a service ("ExpressVPNService") with an unquoted service path running with SYSTEM privileges.
This allows any non-privileged local user to execute arbitrary code with SYSTEM privileges.

# POC :

C:\xpl\Und3rgr0und>sc qc ExpressVPNService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ExpressVPNService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\ExpressVPN\bootstrap\amd64\nssm.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ExpressVPN Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

*******************************************************
Login or Register to add favorites

File Archive:

August 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    1 Files
  • 2
    Aug 2nd
    7 Files
  • 3
    Aug 3rd
    5 Files
  • 4
    Aug 4th
    7 Files
  • 5
    Aug 5th
    7 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close