Wondershare Filmora v.13.0.51 - Insecure Permissions Privilege Escalation

Insecure Permissions vulnerability in Wondershare Filmora and versions below allows a local unprivileged attacker to execute arbitrary code as SYSTEM via a crafted script to the controlable path C:\Users%username%\AppData\Local\Wondershare\Wondershare NativePush.

Path permission: C:\Users%username%\AppData\Local\Wondershare\Wondershare NativePush

The insecure folder permissions grants Full access to all users in the host.

C:\Users\%username%\AppData\Local\Wondershare\Wondershare NativePush 
                                                               BUILTIN\Users:(OI)(CI)(F)
                                                               NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                                                               DESKTOP-LF5STJ1\test:(I)(OI)(CI)(F)

The installation of the solution will create an insecure folder where the binary WsNativePushService.exe is located, and this allows a malicious user to manipulate file contents or change the legitimate files (e.g., VWsNativePushService.exe which runs with SYSTEM privileges) to compromise a system or to gain elevated privileges as the SYSTEM user. The abuse method is done by replacing the original WsNativePushService.exe with a malicious one, and rebooting the system so the service will reboot and execute our desired code as SYSTEM.

Alaa Kachouh