Cobian Backup Service versions prior to 11 suffer from an unquoted service path vulnerability.
b8f96458302380ef50fd2ae4652d5c03
# Exploit Title: Cobian Backup Service < 11 - Unquoted Service Path
# Discovery by: yunaranyancat
# Discovery Date: October 2020
# Vendor Homepage: https://www.cobiansoft.com/
# Software Link : https://files.cobiansoft.com/programs/cbSetup.exe
# Tested Version: 11
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10
# Info
It has been observed that Cobian Backup service ver. 11 and earlier suffers from Unquoted Service Path Vulnerability
# Vulnerability discovery:
Registry value : HKLM\SYSTEM\ControlSet001\Services\CobianBackup11
# Service info:
C:\>sc qc CobianBackup11
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: CobianBackup11
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 Normal
BINARY_PATH_NAME : C:\Program Files (x86)\Cobian Backup 11\cbService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cobian Backup 11 Gravity
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.