Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path

vendor:

GamingServices

by:

Ismael Nava

7.5

CVSS

HIGH

Unquoted Service Path

428

CWE

Product Name: GamingServices

Affected Version From: 2.47.10001.0

Affected Version To:

Patch Exists: YES

Related CWE:

CPE: a:microsoft:gaming_services:2.47.10001.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 64 bits

2020

Microsoft GamingServices 2.47.10001.0 – ‘GamingServices’ Unquoted Service Path

The Microsoft GamingServices version 2.47.10001.0 is vulnerable to an unquoted service path vulnerability. This vulnerability allows an attacker to gain escalated privileges by placing a malicious executable in a directory with a space in its name, which is not properly quoted in the service's path. This can lead to the execution of arbitrary code with elevated privileges.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of Microsoft GamingServices where the issue has been patched. Additionally, users should ensure that the service path is properly quoted to prevent unquoted service path vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path
# Discovery by: Ismael Nava
# Discovery Date: 02-12-2020
# Vendor Homepage: https://www.microsoft.com
# Software Links : https://www.microsoft.com/en-us/p/xbox-beta/9mv0b5hzvk9z?activetab=pivot:overviewtab
# Tested Version: 2.47.10001.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 64 bits

# Step to discover Unquoted Service Path:

C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
GamingServices GamingServices C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServices.exe Auto
GamingServicesNet GamingServicesNet C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe Auto

C:\>sc qc "GamingServicesNet"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: GamingServicesNet
        TIPO               : 210  WIN32_PACKAGED_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 0   IGNORE
        NOMBRE_RUTA_BINARIO: C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : GamingServicesNet
        DEPENDENCIAS       : staterepository
        NOMBRE_INICIO_SERVICIO: NT AUTHORITY\LocalService

C:\>sc qc "GamingServices"
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: GamingServices
        TIPO               : 210  WIN32_PACKAGED_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 0   IGNORE
        NOMBRE_RUTA_BINARIO: C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServices.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : GamingServices
        DEPENDENCIAS       : staterepository
        NOMBRE_INICIO_SERVICIO: LocalSystem