Executive Summary

CVE-2020-36957 is an unquoted service path vulnerability in the pdfsvc.exe service of PDF Complete version 3.5.310.2002. Because the service path is unquoted and contains spaces, an attacker with local access can exploit this by placing a malicious executable in a path that the system might execute instead of the legitimate service binary. This allows the attacker to inject and execute malicious code with elevated LocalSystem privileges, effectively escalating their privileges on the system. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to local privilege escalation, allowing an attacker with local access to execute malicious code with LocalSystem privileges. This means the attacker can gain full control over the affected system, potentially compromising confidentiality, integrity, and availability of data and system resources. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by querying Windows Management Instrumentation (WMI) and Service Control Manager (SCM) to identify services with unquoted paths running with auto-start mode, specifically filtering for the 'pdfsvc' service. For example, you can use PowerShell commands such as: Get-WmiObject win32_service | Where-Object { $_.PathName -like '*pdfsvc*' -and $_.StartMode -eq 'Auto' } to find the service and check if the executable path is unquoted and contains spaces. [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include correcting the unquoted service path by enclosing the executable path in quotes to prevent path hijacking. Alternatively, restrict local user permissions to prevent placing malicious executables in paths that could be executed by the vulnerable service. Ensuring the service runs with the least privileges necessary and applying any available updates or patches from the vendor is also recommended. [1, 2]

Useful 0 Not Useful 0