Asus GameSDK 1.0.0.4 Unquoted Service Path

2022.07.20
Credit: Angelo Pio Amirante
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2022-35899
CWE: N/A

# Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path (Privilege Escalation) # Date: 07/14/2022 # Exploit Author: Angelo Pio Amirante # Version: 1.0.0.4 # Tested on: Windows 10 # Patched version: 1.0.5.0 # CVE: CVE-2022-35899 # Step to discover the unquoted service path: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ # Info on the service: C:\>sc qc "GameSDK Service" [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: GameSDK Service TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : GameSDK Service DIPENDENZE : SERVICE_START_NAME : LocalSystem # Exploit If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe". # Impact An attacker can elevate his privileges on the system and become NTAUTHORITY\SYSTEM. # Poc Video https://youtu.be/u_8JMIgn-5g


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top