Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation

Exploit Author: Thurein Soe Analysis Author: www.bubbleslearn.ir Category: Local Language: Shell Published Date: 2023-05-25 
# Exploit Title: Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation
# Date: 20  May 2023
# Exploit Author: Thurein Soe
# Vendor Homepage: https://filmora.wondershare.com
# Software Link: https://mega.nz/file/tQNGGZTQ#E1u20rdbT4R3pgSoUBG93IPAXqesJ5yyn6T8RlMFxaE
# Version: Filmora 12 ( Build 1.0.0.7)
# Tested on: Windows 10 (Version 10.0.19045.2965)
# CVE : CVE-2023-31747


Vulnerability description:
Filmora is a professional video editing software. Wondershare NativePush
Build 1.0.0.7 was part of Filmora 12 (Build 12.2.1.2088). Wondershare
NativePush Build 1.0.0.7 was installed while Filmora 12 was installed. The
service name "NativePushService" was vulnerable to unquoted service paths
vulnerability which led to full local privilege escalation in the affected
window operating system as the service "NativePushService" was running with
system privilege that the local user has write access to the directory
where the service is located. Effectively, the local user is able to
elevate to local admin upon successfully replacing the affected executable.


C:\sc qc NativePushService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: NativePushService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   :
C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare
NativePush\WsNativePushService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Wondershare Native Push Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\cacls "C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare
NativePush\WsNativePushService.exe"

C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare
NativePush\WsNativePushService.exe

BUILTIN\Users:(ID)F

                      NT AUTHORITY\SYSTEM:(ID)F

                      BUILTIN\Administrators:(ID)F

                      HNINKAYTHAYAR\HninKayThayar:(ID)F


Filmora 12 (Build 1.0.0.7) – Unquoted Service Paths Privilege Escalation: A Deep Dive into CVE-2023-31747

On May 20, 2023, cybersecurity researcher Thurein Soe disclosed a critical vulnerability in Filmora 12, specifically within its Wondershare NativePush service component (Build 1.0.0.7). This flaw, assigned the CVE identifier CVE-2023-31747, exploits a common yet dangerous misconfiguration: unquoted service paths. The vulnerability enables local users to escalate privileges to SYSTEM level—effectively gaining full administrative control—on Windows 10 systems.

Understanding the Vulnerability: Unquoted Service Paths

Service paths in Windows are defined in the registry under HKLM\SYSTEM\CurrentControlSet\Services. When a service executable path is not enclosed in quotes, Windows interprets the path as a series of arguments. This creates a critical security loophole if the path contains spaces and the directory is writable by non-admin users.

For example, consider a service path like:

C:\Program Files\Wondershare\NativePush\WsNativePushService.exe

If the path is unquoted (i.e., not wrapped in "), Windows treats Program as the executable and Files\Wondershare\NativePush\WsNativePushService.exe as arguments. If an attacker can place a malicious executable named Program.exe in a writable directory, the service will execute it instead of the legitimate binary.

Case Study: NativePushService in Filmora 12

During analysis of Filmora 12 (Build 1.0.0.7), the NativePushService was found to have an unquoted binary path:

sc qc NativePushService

Output:

SERVICE_NAME: NativePushService
 TYPE : 10 WIN32_OWN_PROCESS
 START_TYPE : 2 AUTO_START
 ERROR_CONTROL : 1 NORMAL
 BINARY_PATH_NAME : C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe
 SERVICE_START_NAME : LocalSystem

Notice the space in the path: Wondershare NativePush. The lack of quotes means Windows will attempt to execute Wondershare as the binary, and treat NativePush\WsNativePushService.exe as arguments. This opens the door for exploitation.

Local User Access and Privilege Escalation

Using cacls to inspect permissions:

cacls "C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe"

Output reveals:

User/Group Permissions
BUILTIN\Users F (Full Control)
NT AUTHORITY\SYSTEM F (Full Control)
BUILTIN\Administrators F (Full Control)
HNINKAYTHAYAR\HninKayThayar F (Full Control)

Here’s the key insight: the local user has full write access to the directory where the service executable resides. This means they can replace the legitimate WsNativePushService.exe with a malicious payload—such as a reverse shell or a binary that elevates privileges.

Exploitation Process: Step-by-Step

Attackers can follow these steps to exploit CVE-2023-31747:

  • Step 1: Identify the vulnerable service using sc qc to query service configuration.
  • Step 2: Confirm the path contains unquoted spaces and verify write access using cacls.
  • Step 3: Create a malicious executable named Wondershare.exe (matching the first part of the unquoted path).
  • Step 4: Place the malicious binary in the writable directory: C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush.
  • Step 5: Restart the service or wait for it to auto-start (as it is set to AUTO_START).
  • Step 6: The service will execute Wondershare.exe instead of the original binary, running with LocalSystem privileges.

Once executed, the malicious payload gains SYSTEM-level access, allowing full control over the system—installing malware, modifying system settings, or exfiltrating sensitive data.

Real-World Implications and Mitigation

This vulnerability is particularly dangerous in environments where users have local access to systems but are not administrators. For instance:

  • Corporate desktops with unprivileged users.
  • Shared workstations in educational institutions.
  • Remote desktop sessions with limited access.

Attackers can leverage this flaw to gain persistence, escalate privileges, and bypass security controls—often without triggering antivirus alerts, especially if the payload is crafted carefully.

Security Best Practices and Fixes

Vendor Wondershare has since released patches for Filmora 12, addressing the unquoted service path issue. However, users should:

  • Always quote service paths in registry configurations.
  • Restrict write access to service directories to only trusted accounts.
  • Use least privilege principles—never run services with LocalSystem unless absolutely necessary.
  • Monitor service behavior using tools like Process Monitor or Windows Event Log.

System administrators should regularly audit services using sc query and sc qc to detect unquoted paths. Automated scripts can be deployed to scan for such vulnerabilities across multiple systems.

Conclusion: A Reminder of Legacy Risks

CVE-2023-31747 serves as a stark reminder that even well-known software like Filmora—used by millions for creative work—can harbor critical security flaws. The unquoted service path vulnerability is a classic attack vector that has resurfaced in modern applications due to poor configuration practices.

As cybersecurity professionals, we must remain vigilant: always validate service configurations, enforce proper permissions, and prioritize security-by-design. This case underscores that privilege escalation is not always complex—it can be as simple as a missing quotation mark.