MEmu Play Insecure Folder Permissions Vulnerability Allowing Privilege Escalation

A vulnerability in MEmu Play version 7.1.3 allows low-privileged users to exploit insecure folder permissions to modify the MemuService.exe executable. This vulnerability enables attackers to replace the service executable with a malicious file that, when the system is restarted, can execute with SYSTEM-level privileges. The issue arises from unrestricted file modification permissions that the Authenticated Users group has by default.

Impact

Exploitation of this vulnerability leads to unauthorized modification of executable files, allowing for privilege escalation to SYSTEM-level rights.

Reproduction

To reproduce this vulnerability, a low-privileged user must first download the MEmuService.exe file and then overwrite the original executable in the application directory with a malicious version. This can be done by renaming the original file, copying the malicious one into the folder, and then restarting the computer, which triggers the execution of the replaced file with elevated privileges.