ASUS Control Center Express 01.06.15 - Unquoted Service Path

Exploit Author: Alaa Kachouh Analysis Author: www.bubbleslearn.ir Category: Local Language: Shell Published Date: 2024-04-02 
# Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service Path
Privilege Escalation
# Date: 2024-04-02
# Exploit Author: Alaa Kachouh
# Vendor Homepage:
https://www.asus.com/campaign/ASUS-Control-Center-Express/global/
# Version: Up to 01.06.15
# Tested on: Windows
# CVE: CVE-2024-27673

===================================================================
ASUS Control Center Express Version =< 01.06.15 contains an unquoted
service path which allows attackers to escalate privileges to the system
level.
Assuming attackers have write access to C:\, the attackers can abuse the
Asus service "Apro console service"/apro_console.exe which upon restarting
will invoke C:\Program.exe with SYSTEM privileges.

The binary path of the service alone isn't susceptible, but upon its
initiation, it will execute C:\program.exe as SYSTEM.

Service Name: AProConsoleService
binary impacted: apro_console.exe

# If a malicious payload is inserted into C:\  and service is executed in
any way, this can grant privileged access to the system and perform
malicious activities.


ASUS Control Center Express 01.06.15 — Unquoted Service Path (CVE-2024-27673)

This article explains the unquoted service path vulnerability discovered in ASUS Control Center Express (versions up to 01.06.15) and tracked as CVE-2024-27673. It covers what the issue is, why it matters, how to detect and remediate it safely, mitigation and monitoring guidance, and recommended hardening to reduce risk.

Summary

ASUS Control Center Express prior to or equal to 01.06.15 contains an unquoted service path for the AProConsoleService (apro_console.exe). When a Windows service's configured executable path contains one or more spaces and is not wrapped in quotes, Windows can interpret the path in a way that allows binaries located at earlier path components to be executed unexpectedly. In this case, if an attacker has the ability to write to the system root (C:\), the service startup sequence may attempt to execute C:\Program.exe with SYSTEM privileges.

Field Value
Vulnerability Unquoted service executable path for AProConsoleService (apro_console.exe)
Affected software ASUS Control Center Express ≤ 01.06.15
CVE CVE-2024-27673
Impact Local privilege escalation to SYSTEM if attacker can write to C:\

Technical details — what an “unquoted service path” means

Windows services store the absolute path to their executable (ImagePath). If the path contains spaces and is not quoted, Windows might parse the path in segments and try loading the executable from earlier components. For example, a service configured with an ImagePath like:

C:\Program Files\ASUS\ControlCenter\apro_console.exe

If not quoted, the service loader can treat this as the following candidate paths (Windows parses until it finds a valid executable):

  • C:\Program.exe
  • C:\Program Files\ASUS\ControlCenter\apro_console.exe

If an attacker can create C:\Program.exe, Windows may execute that file with the service's privileges (often SYSTEM), enabling privilege escalation. In this specific case the vulnerable behavior is tied to how apro_console.exe is launched by the service definition.

Why this is important

  • Privilege escalation: Execution of attacker-controlled binary with SYSTEM privileges allows full control of the host.
  • Precondition: The exploit requires write access to an earlier path component (in this case, the root of the system drive). That is a relatively strong precondition compared to some bugs, but scenarios exist (misconfigured file shares, weak ACLs, temporary local access, or other vulnerabilities) that may allow such writes.
  • Common misconfiguration: Unquoted service path vulnerabilities are frequently found in legacy or poorly constructed installers and services; they are easy to avoid by quoting paths during service installation.

Safe proof-of-concept summary (lab only)

When responsibly tested in a controlled environment, researchers confirmed that the service configuration for AProConsoleService does not quote the executable path. The Windows Service Control Manager, when starting the service, may therefore resolve C:\Program.exe first. If such a file exists and is executable, it will run with the service account privileges. Note: do not attempt to reproduce this on production systems. Testing should be restricted to isolated lab environments where you have explicit authorization.

Detection — find similar unquoted service paths on Windows

Administrators should scan endpoints for unquoted service paths. The following defensive PowerShell snippet enumerates services with spaces in their ImagePath that are not enclosed in quotes. Run with administrative privileges:

Get-WmiObject -Class Win32_Service |
  Where-Object {
    $_.PathName -match '\s' -and
    $_.PathName -notmatch '^".*"$'
  } |
  Select-Object Name, StartMode, State, PathName

Explanation: This script queries the Win32_Service class, filters services whose PathName contains whitespace and is not surrounded by double quotes, and prints name, startup mode, state, and the raw PathName. Use this as a starting point to triage suspicious entries.

Example SIEM queries (conceptual):

  • Windows Event Monitoring: Alert on process creation events where the created process is located directly under C:\ (e.g., C:\Program.exe) and the parent is a service host or svchost.exe.
  • File Integrity Monitoring: Alert on creation or modification of executables at the root of system drives (C:\) or other top-level folders.

Remediation and mitigation (recommended steps)

Follow a layered approach. Prioritize application updates, then apply mitigations and hardening.

  • Install vendor update — primary fix: upgrade ASUS Control Center Express to the vendor-supplied version that addresses this issue. Check the ASUS product page and security advisories for the patched release beyond 01.06.15.
  • Correct the service ImagePath — ensure the service’s ImagePath is the fully quoted path to the intended binary (e.g., "C:\Program Files\ASUS\ControlCenter\apro_console.exe"). This eliminates ambiguous parsing by the service loader.
  • Restrict write permissions — ensure the root of the system volume and other critical system locations are not writable by non-privileged users or service accounts. NTFS ACLs should not permit standard users or service accounts to create executables in C:\.
  • Limit service privileges — configure services to run with the least privileges necessary. If a service does not require SYSTEM, consider a less-privileged account or using virtualized service isolation where possible.
  • File integrity and AV controls — ensure endpoint protection is monitoring for new executables in suspicious locations and that file integrity monitoring alerts on attempts to write to top-level directories.

Safe remediation example — quoting an ImagePath

As an administrator, you can adjust a service’s ImagePath so Windows parses it correctly. One common administrative tool is sc.exe which can update the service binary path. Example (administrative context):

sc config AProConsoleService binPath= "\"C:\Program Files\ASUS\ControlCenter\apro_console.exe\""

Explanation: The command updates the AProConsoleService configuration so the ImagePath is explicitly quoted. Note the escaped quotes inside the command. Test such changes in a maintenance window and ensure the new path is valid and the service functions as expected. If you are uncomfortable using sc.exe directly, update the service using documented vendor tools or group policy where available.

Monitoring and detection rules

  • Alert on creation of executable files in the root of system drives (e.g., C:\Program.exe) from non-administrative accounts.
  • Monitor for new services whose ImagePath contains spaces and lacks surrounding quotes.
  • Correlate service start events with unexpected child processes—look for service starts that spawn processes from unusual locations.
  • Use EDR/endpoint tools to block execution of binaries from top-level directories and to produce high-fidelity alerts when services launch unexpected executables.

Long-term remediation and best practices

  • Use secure installer practices: always quote service executable paths during installation.
  • Principle of least privilege: avoid running services as SYSTEM unless strictly necessary.
  • Harden filesystem ACLs for system drive root and Program Files directories.
  • Adopt continuous scanning for common misconfigurations (unquoted paths, world-writable locations, weak ACLs).
  • Keep software inventories and apply vendor security updates quickly, especially for management and monitoring tools that run with elevated privileges.

Timeline & references

Vendor security bulletins and CVE details provide authoritative guidance and patched versions. Administrators should consult ASUS support and security advisory pages to identify the fixed version and follow the vendor’s upgrade instructions. For further reading on unquoted service path issues and secure service configuration, Microsoft’s documentation on service security and ImagePath guidelines is useful.

Final notes for defenders

This is a privilege escalation vulnerability with a significant consequence if an adversary can meet the write-precondition. Prioritize patching or quoting the service path and ensure file-system ACLs do not allow unprivileged users to place executables in candidate locations. Use the detection and monitoring suggestions above to identify both existing exposures and attempted exploitation in your environment.