PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path

vendor:

PDF Complete

by:

Zaira Alquicira

5.5

CVSS

MEDIUM

Unquoted Service Path

428

CWE

Product Name: PDF Complete

Affected Version From: 3.5.310.2002

Affected Version To: 3.5.310.2002

Patch Exists: NO

Related CWE:

CPE: pdf-complete.informer.com/3.5

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 Pro x64

2020

PDF Complete 3.5.310.2002 – ‘pdfsvc.exe’ Unquoted Service Path

The PDF Complete version 3.5.310.2002 is vulnerable to an unquoted service path vulnerability. This vulnerability could allow an attacker to gain escalated privileges by placing a malicious executable in the path of the service.

Mitigation:

The vendor should update the service path to include quotes around the executable path.

Source

Exploit-DB raw data:

# Exploit Title: PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path
# Discovery by: Zaira Alquicira
# Discovery Date: 2020-12-10
# Vendor Homepage:  https://pdf-complete.informer.com/3.5/
# Tested Version: 3.5.310.2002
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es

# Step to discover Unquoted Service Path:

C:\>wmic service get name, pathname, displayname, startmode | findstr /i
"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "pdfsvc" | findstr /i /v
"""

PDF Complete

PDF Complete  C:\Program Files (x86)\PDF Complete\pdfsvc.exe
/startedbyscm:66B66708-40E2BE4D-pdfcService
Auto


# Service info:

C:\Users\TOSHIBA>sc qc "pdfcDispatcher"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: pdfcDispatcher
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\PDF Complete\pdfsvc.exe
/startedbyscm:66B66708-40E2BE4D-pdfcService
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : PDF Document Manager
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem