Wondershare Filmora v.13.0.51 - Insecure Permissions Privilege Escalation# CVE-2024-26574
Wondershare Filmora v.13.0.51 - Insecure Permissions Privilege Escalation
### Description:
Insecure Permissions vulnerability in Wondershare Filmora and versions below allows a local unprivileged attacker to execute arbitrary code as SYSTEM via a crafted script to the controlable path C:\Users\%username%\AppData\Local\Wondershare\Wondershare NativePush.
### Impacted component(s)
Path permission: C:\Users\%username%\AppData\Local\Wondershare\Wondershare NativePush
### ACL Permissions
The insecure folder permissions grants Full access to all users in the host.
```
C:\Users\%username%\AppData\Local\Wondershare\Wondershare NativePush
BUILTIN\Users:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
DESKTOP-LF5STJ1\test:(I)(OI)(CI)(F)
```
### Attack Vector
The installation of the solution will create an insecure folder where the binary WsNativePushService.exe is located, and this allows a malicious user to manipulate file contents or change the legitimate files (e.g., VWsNativePushService.exe which runs with SYSTEM privileges) to compromise a system or to gain elevated privileges as the SYSTEM user.
The abuse method is done by replacing the original WsNativePushService.exe with a malicious one, and rebooting the system so the service will reboot and execute our desired code as SYSTEM.
#### Discovered by:
Alaa Kachouh
[4.0K] /data/pocs/befb65cb7cc63984414471a7a30917efaa150258
└── [1.6K] README.md
0 directories, 1 file