Syncplify.me Server Unquoted Service Path Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in Syncplify.me Server version 5.0.37, specifically within the 'SMWebRestServicev5' service. This vulnerability arises from an unquoted service path, allowing local attackers to exploit the binary path by inserting a malicious executable. When the service is restarted or the system reboots, the injected executable can be executed with LocalSystem privileges.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, with executed payloads running under the LocalSystem account, which has extensive rights on the system.

Reproduction

The vulnerability can be reproduced by first identifying the unquoted service path of the 'SMWebRestServicev5' service using the Windows Management Instrumentation Command-line (WMIC) tool. Once the unquoted path is confirmed, a malicious executable can be placed in the service path. After the executable is inserted, restarting the service or the system will trigger the execution of the malicious payload with elevated privileges.