Arcsoft PhotoStudio Unquoted Service Path Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in Arcsoft PhotoStudio versions through 6.0.0.172. The issue arises from an unquoted service path in the ArcSoft Exchange Service, allowing local attackers to place a malicious executable in the unquoted path. When the service is triggered, the executable is executed with system-level permissions, enabling arbitrary code execution.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation to the system level, where an attacker could execute arbitrary code with full administrative rights.

Reproduction

The vulnerability can be reproduced by first identifying the unquoted service path using the Windows Management Instrumentation Command-line (WMIC) tool. After locating the service, a reverse shell payload can be created using Metasploit's msfvenom, and then uploaded to the unquoted path. Once the payload is in place, the service can be restarted, triggering the execution of the malicious payload with system privileges.