RealTimes Desktop Service 18.1.4 Unquoted Service Path Privilege Escalation

A local attacker with write access to a directory earlier in the unquoted path (e.g., `c:\program files (x86)\real\realplayer\RPDS\Bin\`) can place a malicious executable named `rpdsvc.exe` or a similarly named file that Windows resolves before the legitimate binary. When the service starts (either manually or at system reboot), the attacker's payload executes with LocalSystem privileges [ref_id=1]. This is a classic unquoted service path vulnerability [CWE-428].

The vulnerable binary is `rpdsvc.exe` located at `c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe`. The RealTimes Desktop Service (version 18.1.4) registers this binary with an unquoted service path, which allows the Windows service manager to interpret spaces in the path as separators between the executable and its arguments [ref_id=1].

The advisory does not include a patch or vendor fix. To remediate the vulnerability, the service binary path should be enclosed in quotes (e.g., `"c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe"`) so that Windows treats the entire string as a single executable path, preventing space-based misinterpretation [ref_id=1]. Without this change, an attacker can exploit the unquoted path to achieve privilege escalation.

1. Open a command prompt and run `wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v "RealTimes" | findstr /i /v """` to confirm the unquoted path `c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe`. 2. Run `sc qc "RealTimes Desktop Service"` to verify the service runs as LocalSystem with AUTO_START. 3. Place a malicious executable (e.g., `rpdsvc.exe`) in a directory earlier in the path (e.g., `c:\program files (x86)\real\realplayer\RPDS\Bin\`). 4. Reboot the system or start the service; the malicious executable will execute with LocalSystem privileges [ref_id=1].