Authored by yunaranyancat

Cobian Backup Service versions prior to 11 suffer from an unquoted service path vulnerability.

# Exploit Title: Cobian Backup Service < 11 -  Unquoted Service Path
# Discovery by: yunaranyancat
# Discovery Date: October 2020
# Vendor Homepage: https://www.cobiansoft.com/
# Software Link : https://files.cobiansoft.com/programs/cbSetup.exe
# Tested Version: 11
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10

# Info

It has been observed that Cobian Backup service ver. 11 and earlier suffers from Unquoted Service Path Vulnerability

# Vulnerability discovery:

Registry value : HKLMSYSTEMControlSet001ServicesCobianBackup11

# Service info:

C:>sc qc CobianBackup11
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: CobianBackup11
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 Normal
BINARY_PATH_NAME : C:Program Files (x86)Cobian Backup 11cbService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cobian Backup 11 Gravity
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

# Exploit:

This vulnerability could permit executing code during startup or reboot with the escalated privileges.