IObit Uninstaller Unquoted Service Path Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in IObit Uninstaller version 9.5.0.15. The issue arises from an unquoted service path in the IObitUnSvr service, allowing local attackers to gain SYSTEM-level privileges. Exploitation involves placing a malicious executable named 'IObit.exe' in the 'C:\Program Files (x86)\IObit' directory and restarting the service to execute the code with elevated rights.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation to the SYSTEM level, the highest level of privilege on a Windows machine.

Reproduction

To reproduce this vulnerability, first verify if the IObitUnSvr service is running with SYSTEM privileges. This can be done using the 'sc qc IObitUnSvr' command, which will show the service's binary path and confirm its permission level. Once confirmed, create a malicious executable named 'IObit.exe' using a tool like msfvenom, ensuring it is configured to open a reverse shell. After dropping the executable into the 'C:\Program Files (x86)\IObit' directory, restart the IObit Uninstaller service. If the payload was created with msfvenom, it can be migrated to another process to establish a reverse shell connection.