what you don't know can hurt you

Rapid7 Nexpose Installer 6.6.39 Unquoted Service Path

Rapid7 Nexpose Installer 6.6.39 Unquoted Service Path
Posted Sep 14, 2020
Authored by Angelo D'Amato

Rapid7 Nexpose Installer version 6.6.39 suffers from an unquoted service path vulnerability.

tags | exploit
MD5 | 779582d9267975b0b34cb162ca6ceded

Rapid7 Nexpose Installer 6.6.39 Unquoted Service Path

Change Mirror Download
# Exploit Title: Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path
# Date: 2020-08-31
# Exploit Author: Angelo D'Amato
# Vendor Homepage: https://www.rapid7.com
# Version: <=6.6.39
# CVE :N/A

Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation


Vendor: Rapid7
Product web page: https://www.rapid7.com
Affected version: <=6.6.39

Summary: Rapid7 Nexpose is a vulnerability scanner which aims to support
the entire vulnerability management lifecycle, including discovery, detection,
verification, risk classification, impact analysis, reporting and mitigation.
It integrates with Rapid7's Metasploit for vulnerability exploitation.

Desc: Rapid7 Nexpose installer version prior to 6.6.40 uses a search path
that contains an unquoted element, in which the element contains whitespace
or other separators. This can cause the product to access resources in a parent
path, allowing local privilege escalation.

Tested on: Microsoft Windows 10 Enterprise, x64-based PC
Microsoft Windows Server 2016 Standard, x64-based PC


Vulnerability discovered by Angelo D'Amato
@zeroscience


Advisory ID: ZSL-2019-5587
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5587.php


07.08.2020

--


C:\Users\test>sc qc nexposeengine
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: nexposeengine
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\rapid7\nexpose\nse\bin\nxengine.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Nexpose Scan Engine
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close