Document Title: =============== Clean Master 1.0 - Unquoted Service Path Privilege Escalation Release Date: ============= 2016-10-02 Vulnerability Disclosure Timeline: ================================== 2016-10-02 : Discovery of the Vulnerability 2016-10-02 : Contact the Vendor (No Response) 2016-10-05 : Public Disclosure Product & Service Introduction: =============================== Clean Master Cleaner is a powerful application dedicated to the cleaning of certain content Android terminal. It is able to remove all traces of activities performed on the Smartphone to free up space and increase performance. This app is able to best improve the security system of the device. (Copy of the Vendor Homepage: http://www.cmcm.com/ ) Affected Product(s): ==================== Product: Clean Master v1.0 - Software Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ The application suffers from a search path issue unquoted impact on Clean Master programe. This could potentially allow authorized but unprivileged local user to execute arbitrary code with system privileges on the system. Proof of Concept (PoC): ======================= The issue can be exploited by local attackers with restricted system user account or network access and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. --- Privileges Logs --- C:Program FilescmcmClean Master>sc qc cmcore [SC] QueryServiceConfig réussite(s) SERVICE_NAME: cmcore TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "c:program filescmcmClean Mastercmcore.exe" /service cmcore LOAD_ORDER_GROUP : ShellSvcGroup TAG : 0 DISPLAY_NAME : Clean Master Core Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [+] Disclaimer [+] =================== Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. Domain: www.zwx.fr Contact: msk4@live.fr Social: twitter.com/XSSed.fr Feeds: www.zwx.fr/feed/ Advisory: www.vulnerability-lab.com/show.php?user=ZwX packetstormsecurity.com/files/author/12026/ cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/ 0day.today/author/27461 Copyright © 2016 | ZwX - Security Researcher (Software & web application) # Iranian Exploit DataBase = http://IeDb.Ir [2016-10-09]