DiskBoss 11.7.28 Unquoted Service Path

# Exploit Title: DiskBoss v11.7.28 - Multiple Services Unquoted Service Path
# Date: 2020-8-20
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: https://www.diskboss.com/
# Software Link: https://www.diskboss.com/downloads.html
# Version: v11.7.28
# Tested on: Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763

# Product | Version
# DiskBoss v11.7.28
# DiskBoss Pro v11.7.28
# DiskBoss Ultimate v11.7.28
# DiskBoss Server v11.7.28
# DiskBoss Enterprise v11.7.28

# All the listed products are vulnerable to Unquoted Service path. Any low privileged user can elevate their privileges using any of these services.

# Services info:

C:Usersm507>sc qc "DiskBoss Service"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: DiskBoss Service
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:Program FilesDiskBossbindiskbsa.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DiskBoss Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:Usersm507>

C:Usersm507>sc qc "DiskBoss Enterprise"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: DiskBoss Enterprise
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:Program Files (x86)DiskBoss Enterprisebindiskbss.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DiskBoss Enterprise
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:Usersm507>

C:Usersm507>sc qc "DiskBoss Ultimate Service"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: DiskBoss Ultimate Service
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:Program Files (x86)DiskBoss Ultimatebindiskbsa.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DiskBoss Ultimate Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:Usersm507>

C:Usersm507>sc qc "DiskBoss Server"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: DiskBoss Server
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:Program Files (x86)DiskBoss Serverbindiskbss.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DiskBoss Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:Usersm507>

C:Usersm507>sc qc "DiskBoss Pro Service"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: DiskBoss Pro Service
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:Program Files (x86)DiskBoss Probindiskbsa.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DiskBoss Pro Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:Usersm507>

# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.