header-logo
Suggest Exploit
vendor:
PDFCOMPLETE Corporate Edition
by:
Ismael Nava
7.8
CVSS
HIGH
Unquoted Service Path
749
CWE
Product Name: PDFCOMPLETE Corporate Edition
Affected Version From: 4.1.45
Affected Version To: 4.1.45
Patch Exists: NO
Related CWE: N/A
CPE: a:pdf_complete:pdf_complete_corporate_edition:4.1.45
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 10 64 bits
2020

PDFCOMPLETE Corporate Edition 4.1.45 – ‘pdfcDispatcher’ Unquoted Service Path

The PDFCOMPLETE Corporate Edition 4.1.45 is vulnerable to an unquoted service path vulnerability. This vulnerability can be exploited by an attacker to gain elevated privileges on the system. The vulnerability exists due to the pdfcDispatcher service not being properly quoted. An attacker can exploit this vulnerability by creating a malicious executable with the same name as the service and placing it in the same directory as the service executable. The malicious executable will then be executed with elevated privileges.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all services are properly quoted. Additionally, administrators should ensure that all services are running with the least privileges necessary.
Source

Exploit-DB raw data:

# Exploit Title: PDFCOMPLETE Corporate Edition 4.1.45 - 'pdfcDispatcher' Unquoted Service Path
# Discovery by: Ismael Nava
# Discovery Date: 02-11-2020
# Vendor Homepage: https://www.pdfcomplete.com/cms/dpl/tabid/111/Default.aspx?r=du2vH8r
# Software Links : https://pdf-complete.informer.com/download/
# Tested Version: 4.1.45
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 64 bits

# Step to discover Unquoted Service Path:

C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
PDF Document Manager       pdfcDispatcher     C:\Program Files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService    Auto


C:\>sc qc pdfcDispatcher
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: pdfcDispatcher
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : PDF Document Manager
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

Navigation

Suggest Exploit

Services By CQR