ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path

vendor:

ELAN Smart-Pad

by:

ZwX

7.5

CVSS

HIGH

Unquoted Service Path

428

CWE

Product Name: ELAN Smart-Pad

Affected Version From: 11.10.15.1

Affected Version To: 11.10.15.1

Patch Exists: NO

Related CWE:

CPE: a:elan_microelectronics:elan_smart-pad:11.10.15.1

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 v1803

2020

ELAN Smart-Pad 11.10.15.1 – ‘ETDService’ Unquoted Service Path

The 'ETDService' service in ELAN Smart-Pad 11.10.15.1 has an unquoted service path vulnerability. This allows an attacker with local access to execute arbitrary code with elevated privileges.

Mitigation:

To mitigate this vulnerability, ensure that the service path is quoted correctly.

Source

Exploit-DB raw data:

#Exploit Title: ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2020-02-05
#Vendor : ELAN Microelectronics
#Vendor Homepage : http://www.emc.com.tw/
#Tested on OS: Windows 10 v1803


#Analyze PoC :
==============


C:\Users\ZwX>sc qc ETDService
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: ETDService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Elantech\ETDService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Elan Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem