# Exploit Title: Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path
# Discovery by: Marcos Antonio León (psk)
# Discovery Date: 2019-11-04
# Vendor Homepage: https://www.wacom.com
# Software Link : http://cdn.wacom.com/U/drivers/IBMPC/pro/WacomTablet_637-3.exe
# Tested Version: 6.3.7.3
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home x64 es
# Step to discover Unquoted Service Path:
C:\>sc qc WTabletServicePro
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: WTabletServicePro
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
GRUPO_ORDEN_CARGA : PlugPlay
ETIQUETA : 0
NOMBRE_MOSTRAR : Wacom Professional Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local attacker must insert an
executable file in the path of the service. Upon service restart or
system reboot, the malicious code will be run with elevated
privileges.