Realtek High Definition Audio Driver 6.0.1.6730 Privilege Escalation

A local attacker exploits an unquoted service path to escalate privileges [ref_id=1]. The service `RtkAudioService` runs as `LocalSystem` and its binary path contains spaces without quotes. An attacker can place a malicious executable such as `Program.exe` into `C:\` — the first space-delimited segment of the path. When the service is restarted (or the system reboots), Windows resolves the unquoted path by trying each prefix in order, which causes it to launch the attacker's executable with LocalSystem privileges [ref_id=1].

The Realtek High Definition Audio Driver version 6.0.1.6730 installs the Windows service **RtkAudioService** with an unquoted binary path: `C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe` [ref_id=1]. Because the path contains spaces and is not enclosed in quotation marks, Windows will interpret each space-separated segment as a possible executable location, allowing arbitrary executables to be placed earlier in the path chain.

The advisory and exploit documentation do not include a patch [ref_id=1]. The remediation is for the vendor to enclose the binary path in quotation marks (e.g., `"C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe"`) when defining the service, which prevents Windows from interpreting the spaces as path separators. Until a fix is applied, users should verify that no writable directories exist before the intended executable in the unquoted path.

1. Verify the unquoted service path with `sc qc RtkAudioService`. 2. Compile or obtain a malicious executable (e.g., `Program.exe`) that will run with elevated privileges. 3. Place `Program.exe` into `C:\` (since the binary path starts with `C:\Program Files\...`). 4. Restart the system or restart the `RtkAudioService`. The service will launch `C:\Program.exe` as the LocalSystem user [ref_id=1].