# Exploit Title: Nero 7 Unquoted Service Path Elevation Of Privilege
# Disclosure Date: 09/11/2016
# Exploit Author: Boumediene KADDOUR a.k.a Sh311c0d3r
# Version: Nero version 18.104.22.168
# Tested on: Windows 7 integral edition FR
# CVE : N/A
The nero 7 suffers from an unquoted search path issue impacting the
service "NBService" leading to arbitrary code execution, this could
potentially allow an authorized unprivileged user to invoke a malicious
peice of code with elevated privileges.
A successful exploit requires a local user to put its own code in the
path of the vulnerable application where it could potentially be
executed during the software startup or system reboot.
[PentestingSkills.BlackBox] a$? sc qc NBService
[SC] QueryServiceConfig rA(c)ussite(s)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Nero\Nero 7\Nero
TAG : 0
DISPLAY_NAME : NBService
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
notice the path C:\Program Files (x86)\Nero\Nero 7\Nero
BackItUp\NBService.exe unquoted !!
a malicious local user could put in place its own executable as Nero.exe
under C:\Program Files (x86)\Nero\ to be then executed once the
application starts up or the system reboots.