Game Jackal Server v5 - Unquoted Service Path "GJServiceV5"

Exploit Author: Idan Malihi Analysis Author: www.bubbleslearn.ir Category: Local Language: Shell Published Date: 2023-07-11 
# Exploit Title: Game Jackal Server v5 - Unquoted Service Path
# Date: 06/07/2023
# Exploit Author: Idan Malihi
# Vendor Homepage: https://www.allradiosoft.ru
# Software Link: https://www.allradiosoft.ru/en/ss/index.htm
# Version: 5
# Tested on: Microsoft Windows 10 Pro
# CVE : CVE-2023-36166

#PoC

C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i
auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Game Jackal Server v5
        GJServiceV5                               C:\Program Files
(x86)\SlySoft\Game Jackal v5\Server.exe                                 Auto

C:\Users>sc qc GJServiceV5
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: GJServiceV5
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\SlySoft\Game Jackal
v5\Server.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Game Jackal Server v5
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users>systeminfo

Host Name:                 DESKTOP-LA7J17P
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19042 N/A Build 19042
OS Manufacturer:           Microsoft Corporation


Game Jackal Server v5 – Unquoted Service Path Vulnerability (CVE-2023-36166)

Security researchers have identified a critical privilege escalation vulnerability in Game Jackal Server v5, a software developed by SlySoft and distributed through AllRadioSoft. This flaw, officially assigned CVE-2023-36166, stems from an unquoted service path configuration, enabling local attackers to gain elevated privileges on Windows systems.

Understanding the Vulnerability: Unquoted Service Paths

Windows services are designed to run automatically at system startup, often under the LocalSystem account—privileged with full access to the operating system. When a service’s binary path is not enclosed in quotation marks, Windows interprets the path as a sequence of executable components, potentially allowing malicious code to be executed if placed in a directory path with spaces.

For example, if a service is configured to run:

C:\Program Files (x86)\SlySoft\Game Jackal v5\Server.exe

and the path is not quoted, Windows treats this as:

  • C:\Program — the first executable
  • Files (x86)\SlySoft\Game Jackal v5\Server.exe — the rest

Thus, an attacker can place a malicious executable named Program.exe in C:\Program, and when the service starts, it will execute the attacker’s payload instead of the legitimate binary.

Exploitation Evidence: Real-World Proof-of-Concept

Researchers, including Idan Malihi, have demonstrated this vulnerability using standard Windows command-line tools:

C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

This command filters services that start automatically and are not located in the system directory, revealing the vulnerable service:

Game Jackal Server v5
 GJServiceV5 C:\Program Files (x86)\SlySoft\Game Jackal v5\Server.exe Auto

Further verification using sc qc confirms the unquoted path:

SC QueryServiceConfig SUCCESS
 SERVICE_NAME: GJServiceV5
 BINARY_PATH_NAME : C:\Program Files (x86)\SlySoft\Game Jackal v5\Server.exe

Notice the absence of quotes around the path—this is the core vulnerability.

Attack Vector and Exploitation Steps

Attackers with local access (e.g., a user with standard privileges) can exploit this flaw by:

  1. Creating a directory C:\Program (if it doesn't exist).
  2. Placing a malicious executable named Program.exe in that directory.
  3. Ensuring the malicious binary mimics the legitimate Server.exe behavior or performs privilege escalation.
  4. Waiting for the service to start (automatically, or manually via sc start GJServiceV5).

When the service launches, Windows will execute Program.exe first, giving the attacker full control under the LocalSystem context.

Impact and Risk Assessment

Severity Critical
CVSS Score 7.8 (High)
Attack Vector Local (User with standard privileges)
Privilege Required Low (non-admin user)
Exploitability High (simple, no additional tools required)

Due to the low barrier to entry and high privilege escalation potential, this vulnerability poses a significant threat in environments where untrusted users have access to Windows systems.

Remediation and Best Practices

Administrators and users should take immediate action to mitigate this risk:

  • Update the software to the latest version, if available, or disable the service if no update is provided.
  • Quote the service path in the registry or via sc config to prevent path interpretation issues.
  • Run services under least-privilege accounts whenever possible (e.g., NetworkService instead of LocalSystem).
  • Regularly audit service configurations using tools like wmic or PowerShell scripts.

Example fix using sc config:

sc config GJServiceV5 binpath= "C:\Program Files (x86)\SlySoft\Game Jackal v5\Server.exe"

Adding quotation marks around the path prevents the vulnerability from being exploited.

Broader Implications: Why This Matters

Unquoted service paths are a recurring issue across the Windows ecosystem, often overlooked during software development. This vulnerability highlights how even niche software—like Game Jackal Server v5—can introduce serious security flaws if proper configuration standards are ignored.

Organizations should implement automated security checks for service paths as part of their patch management and configuration hardening processes. Tools like Windows Defender Application Control or Microsoft Defender for Endpoint can detect such misconfigurations and alert administrators.

Ultimately, this case serves as a reminder: security is not just about code—it’s about configuration, trust, and attention to detail.