HotKey Clipboard 2.1.0.6 Unquoted Service Path – Torchsec
# Date: 2023/01/17
# Exploit Author : Wim Jaap van Vliet
# Vendor Homepage: www.clevo.com.tw
# Software Link: https://enstrong.blob.core.windows.net/en-driver/PDXXPNX1/Others/CC30_1006.zip
# Version: 2.1.0.6
# Tested on: Windows 11 Pro 10.0.22000
# Exploit
The Hotkey Clipboard Service 'HKClipSvc', installed as part of Control Center3.0 v3.97 (and earlier versions) by Clevo has a unquoted service path.
This software package is usually installed on Clevo laptops (or other brands using Clevo barebones) as a driver.
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges on the system.
# Information
C:\>sc qc "HKClipSvc"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: HKClipSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ControlCenter\Driver\x64\HKClipSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HotKey Clipboard Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Gloss