Wondershare Filmora v.13.0.51 - Insecure Permissions Privilege Escalation
Insecure Permissions vulnerability in Wondershare Filmora and versions below allows a local unprivileged attacker to execute arbitrary code as SYSTEM via a crafted script to the controlable path C:\Users%username%\AppData\Local\Wondershare\Wondershare NativePush.
Path permission: C:\Users%username%\AppData\Local\Wondershare\Wondershare NativePush
The insecure folder permissions grants Full access to all users in the host.
C:\Users\%username%\AppData\Local\Wondershare\Wondershare NativePush
BUILTIN\Users:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
DESKTOP-LF5STJ1\test:(I)(OI)(CI)(F)
The installation of the solution will create an insecure folder where the binary WsNativePushService.exe is located, and this allows a malicious user to manipulate file contents or change the legitimate files (e.g., VWsNativePushService.exe which runs with SYSTEM privileges) to compromise a system or to gain elevated privileges as the SYSTEM user. The abuse method is done by replacing the original WsNativePushService.exe with a malicious one, and rebooting the system so the service will reboot and execute our desired code as SYSTEM.
Alaa Kachouh