# Exploit Title: Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 16-06-2021 # Vendor Homepage: https://www.dupscout.com # Software Links: # https://www.dupscout.com/setups_x64/dupscoutsrv_setup_v13.5.28_x64.exe # https://www.dupscout.com/setups_x64/dupscoutent_setup_v13.5.28_x64.exe # Tested Version: 13.5.28 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Dup Scout Server Dup Scout Server C:\Program Files\Dup Scout Server\bin\dupscts.exe Auto Dup Scout Enterprise Dup Scout Enterprise C:\Program Files\Dup Scout Enterprise\bin\dupscts.exe Auto C:\>sc qc "Dup Scout Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Dup Scout Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout Server\bin\dupscts.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Dup Scout Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\>sc qc "Dup Scout Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Dup Scout Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout Enterprise\bin\dupscts.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Dup Scout Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem