CVE-2022-27095

Vulnerability

BattlEye version 0.9 (and 0.94 as tested) contains an unquoted service path vulnerability in the BEService service. The service binary path is set to C:\Program Files (x86)\Common Files\BattlEye\BEService.exe without enclosing quotes [1]. This allows Windows to interpret spaces in the path as separators, potentially executing a different executable if placed in a preceding directory.

Exploitation

An attacker with local user access can exploit this by placing a malicious executable in a directory that Windows will search due to the unquoted path. For example, placing Program.exe in C:\ would cause Windows to execute it instead of the intended BEService.exe when the service starts. The attacker must have write access to such a directory and then trigger service start (e.g., via reboot or manual start). The service runs under the LocalSystem account, so the malicious code executes with SYSTEM privileges [1].

Impact

Successful exploitation results in local privilege escalation from a standard user to SYSTEM, granting full control over the affected Windows system. The attacker can then install programs, view/change data, or create new accounts with full user rights.

Mitigation

As of the publication date (March 2022), no official patch has been released by BattlEye. The recommended mitigation is to manually quote the service binary path in the Windows Registry or using sc config command: sc config BEService binPath="\"C:\Program Files (x86)\Common Files\BattlEye\BEService.exe\"". Additionally, ensure that untrusted users cannot write to directories in the unquoted path. This CVE is not listed in the Known Exploited Vulnerabilities catalog.