# Exploit Title: TOVA 8 Precision Test Environment (P.T.E) - Unquoted Service Path Privilege Escalation # Date of Discovery: February 17 2017 # Exploit Author: Rithwik Jayasimha # Author Homepage/Contact: https://thel3l.me # Vendor Name: The TOVA Company # Vendor Homepage: http://www.tovatest.com/ # Software Link: TOVA 8.2-202 - http://files.tovatest.com/installers/release/windows/tova_8.2-202-gffd23ee_setup.exe # Affected Versions: 8.0-102 to 8.2-202 # Tested on: Windows 10, 8.1, 7, XP # Category: local # Vulnerability type: Local Privilege Escalation # Description: T.O.V.A (Test of Variables of Attention) is a computerized, objective measure of attention and inhibitory control normed by gender for ages 4 to 80+. It installs a service ("TOVA 8 PTE Activation") with an unquoted service path running with SYSTEM privileges. This allows any non-privileged local user to execute arbitrary code with SYSTEM privileges. # Proof Of Concept: C:\Program Files (x86)\tova_8>sc qc "TOVA 8 PTE Activation" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: TOVA 8 PTE Activation TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\tova_8\Service\tova-pte-svc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : TOVA 8 PTE Activation DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Additional Notes, References and links: Patched in latest version. # Disclosure Timeline: February 17 2017 - Discovered, vendor contacted. March 13th 2017 - Patch released by vendor.