Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path

vendor:

WTabletServicePro

by:

Marcos Antonio León (psk)

7.8

CVSS

HIGH

Unquoted Service Path

426

CWE

Product Name: WTabletServicePro

Affected Version From: 6.3.7.3

Affected Version To: 6.3.7.3

Patch Exists: NO

Related CWE: N/A

CPE: a:wacom:wtabletservice

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 Home x64 es

2019

Wacom WTabletService 6.6.7-3 – ‘WTabletServicePro’ Unquoted Service Path

A successful attempt would require the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges.

Mitigation:

Ensure that all services have a fully qualified path to the executable.

Source

Exploit-DB raw data:

# Exploit Title: Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path
# Discovery by: Marcos Antonio León (psk)
# Discovery Date: 2019-11-04
# Vendor Homepage: https://www.wacom.com
# Software Link : http://cdn.wacom.com/U/drivers/IBMPC/pro/WacomTablet_637-3.exe
# Tested Version: 6.3.7.3
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home x64 es

# Step to discover Unquoted Service Path:

C:\>sc qc WTabletServicePro
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: WTabletServicePro
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
        GRUPO_ORDEN_CARGA  : PlugPlay
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Wacom Professional Service
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

#Exploit:

A successful attempt would require the local attacker must insert an
executable file in the path of the service. Upon service restart or
system reboot, the malicious code will be run with elevated
privileges.