Share
# Exploit Title: Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path  
# Discovery by: Marcos Antonio León (psk)  
# Discovery Date: 2019-11-04  
# Vendor Homepage: https://www.wacom.com  
# Software Link : http://cdn.wacom.com/U/drivers/IBMPC/pro/WacomTablet_637-3.exe  
# Tested Version: 6.3.7.3  
# Vulnerability Type: Unquoted Service Path  
# Tested on OS: Windows 10 Home x64 es  
  
# Step to discover Unquoted Service Path:  
  
C:\>sc qc WTabletServicePro  
[SC] QueryServiceConfig CORRECTO  
  
NOMBRE_SERVICIO: WTabletServicePro  
TIPO : 10 WIN32_OWN_PROCESS  
TIPO_INICIO : 2 AUTO_START  
CONTROL_ERROR : 1 NORMAL  
NOMBRE_RUTA_BINARIO: C:\Program Files\Tablet\Wacom\WTabletServicePro.exe  
GRUPO_ORDEN_CARGA : PlugPlay  
ETIQUETA : 0  
NOMBRE_MOSTRAR : Wacom Professional Service  
DEPENDENCIAS :  
NOMBRE_INICIO_SERVICIO: LocalSystem  
  
#Exploit:  
  
A successful attempt would require the local attacker must insert an  
executable file in the path of the service. Upon service restart or  
system reboot, the malicious code will be run with elevated  
privileges.