Intel® Audio Driver Unquoted Service Path Vulnerability

By Uriel Kosayev (@MalFuzzer) and Shay Rozen


Intel is a very well-known and large company that serves a big amount of personal computers and servers around the globe. This vulnerability can be exploited by an attacker during the post-exploitation phase to achieve privilege escalation and persistency,

by using the technique of implanting an arbitrary unsigned executable which is executed by a signed service that runs with the NT AUTHORITY\SYSTEM privileges on the victim machine.

Privilege escalation

Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

In many cases, the first point of penetration will not give attackers the level of access or access to the file system they need. They will then attempt to escalate their privileges to gain more permissions or to obtain access to additional, more sensitive systems.

Privilege escalation means an attacker gains access to privileges they are not entitled to by exploiting a privilege escalation vulnerability in a target system or application, which lets them override the limitations of the current user account.

The Vulnerability

In Windows operating system, service is susceptible to “Unquoted Service Path” vulnerability if the executable path is not wrapped with quotation marks as can be seen below in the case of Intel’s audio driver service:


When diving into the .NET based executable of the “IntelAudioService”, we can notice that it facilitates the “CreateProcessAsUserW” Windows API function through the CallProcessAsUserWrapper method to create the process as can be seen below:

In this case, the “CreateProcessAsUserW” Windows API function receives several parameters such as the “_processToRunPath” parameter that has a value of the file name or the file’s full path, and in this case, with no quotation marks which leads to this vulnerability.

To exploit such vulnerability, gain persistency and escalate the privileges, an attacker needs to drop a payload in a path that has a spaced-name like “C:\Windows\System32\cAVS\Intel(R) {Payload} Service” that will be executed after a computer or service is restarted, either through an administrative account or by abusing a service path that has insufficient permission so that any weak user with the “W” (write) permission, for instance, can drop a malicious payload to this path without the need of an administrative account.

Disclosure Timeline

March 8, 2020 – Vulnerability reported to Intel PSIRT.

May 27, 2020 – Intel validated and resolved the vulnerability.

June 6, 2020 – Vulnerability reported to HackerOne per Intel PSIRT request.

June 25, 2020 – Intel PSIRT Assigned CVE: CVE-2020-12307 and offers a bounty of 1,500$.

November 10, 2020 – Vulnerability will be publicly disclosed under INTEL-SA-00409.