Epic Games Store Privilege Escalation Vulnerability via Microsoft Store Installation

A local privilege escalation vulnerability has been identified in the Epic Games Store when installed through the Microsoft Store. This issue allows low-privilege users to replace a DLL file during the installation, potentially leading to unauthorized elevation of privileges. The vulnerability arises because the temporary folder used during installation is writable by standard users, enabling the replacement of a legitimate DLL with a malicious one that is executed with SYSTEM privileges.

Impact

Exploitation of this vulnerability allows a user to gain SYSTEM privileges.

Reproduction

The vulnerability can be reproduced by installing the Epic Games Store via the Microsoft Store. During the installation process, the Windows Package Manager Server downloads an MSI file, which is executed by msiexec.exe. This process extracts DXSETUP.exe and runs it with SYSTEM privileges. DXSETUP.exe then creates a temporary folder in the user's TEMP directory, where it writes a DLL file named dxupdate.dll. A low-privilege user can intercept this process by replacing dxupdate.dll with a malicious version. Once the DLL is loaded by DXSETUP.exe, the malicious code is executed with elevated privileges, allowing the user to gain SYSTEM access.

Remediation

Users are advised to uninstall the Epic Games Store version 14.6.2.0 installed via the Microsoft Store and download the application directly from the Epic Games Store website.