Pearson VUE Application Wrapper Privilege Escalation Vulnerability

A vulnerability in the Pearson VUE VTS Installer version 2.3.1911 allows local users to gain administrative privileges. This issue arises from the Application Wrapper component, which has an unquoted service path vulnerability and insecure file permissions in the 'C:\Pearson VUE' directory. The permissions grant full control to all users, enabling them to overwrite files and execute a Trojan horse application that could be run as the VUEService user, who has administrative rights.

Impact

Exploitation of this vulnerability allows local users to obtain administrative privileges on the system.

Reproduction

The vulnerability can be reproduced by creating a malicious executable named 'VUE.exe' containing a reverse shell payload, serving it over HTTP, and then downloading it into the 'C:\Pearson VUE' directory. After the executable is downloaded, the system can be rebooted, which will trigger the execution of the malicious payload with elevated privileges.