in ,

Exploiting a Seagate service for SYSTEM shell (CVE-2022-40286)

This post covers a slightly different topic than my usual content: application vulnerability discovery and exploit development.

I haven’t spent much time experimenting in this area in recent years, but my interest has been reignited after some work-related projects over the last few weeks.

I went online to find a random driver/service to exploit – I wanted to find a product by a well-known company rather than something too obscure.

One of the first software packages that I found was called “Seagate Media Sync”, this is a tool for copying media files to wireless Seagate hard-disks. I installed the product, and as expected, this created a background SYSTEM service called MediaAggreService.exe:

A common attack vector for privilege escalation begins with the internal communication between low-privileged processes (UI) and high-privileged services (or drivers). The first step to investigate this is to trigger a legitimate communcation from the UI that we can monitor. Unfortunately, the UI program only offers very limited functionality because I don’t have the corresponding Seagate hardware.

Process Explorer shows that the service contains handles to a named-pipe called MEDIA_AGGRE_PIPE.PIP – I suspect that this pipe is used for communications between the UI (stxmediamanager.exe) and the service (MediaAggreService.exe).

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Azure Cloud Shell Command Injection Stealing User’s Access Token

Cobalt Strike XSS to RCE (CVE-2022-39197)