New Vulnerability in Wondershare Dr.Fone could allow hackers to gain access

Sunday, November 1, 2020, 7:27 GMT

Dr. Fone 3.0.0 allows local users to receive privileges through DriverInstall.exe, a Trojan horse, since %PROGRAMFILES(X86)%\Wondershare\dr.fone\Library\DriverInstaller has Full Control for BUILTIN\Users.

image source: filehippo.com

DETAILS:

CVE : CVE-2020-27992

C:>wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\” |findstr /i /v “””

Wondershare Driver Install Service WsDrvInst C:\Program Files (x86)\Wondershare\dr.fone\Library\DriverInstaller\DriverInstall.exe Auto

C:>sc query WsDrvInst

NOME_SERVIZIO: WsDrvInst
TIPO : 10 WIN32_OWN_PROCESS
STATO : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
CODICE_USCITA_WIN32 : 0 (0x0)
CODICE_USCITA_SERVIZIO : 0 (0x0)
PUNTO_CONTROLLO : 0x0
INDICAZIONE_ATTESA : 0x0

  • Get-Acl -Path “C:\Program Files (x86)\Wondershare\dr.fone\Library\DriverInstaller” Directory: C:\Program Files (x86)\Wondershare\dr.fone\Library

Path Owner Access
—- —– ——
DriverInstaller BUILTIN\Administrators BUILTIN\Users Allow FullControl

Solution:

Update your software.

References:

packetstormsecurity.com/files/159775/Wondershare-Dr.Fone-3.0.0-Unquoted-Service-Path.html


Special Offers: