CVE-2021-47852
📋 TL;DR
Rockstar Games Launcher version 1.0.37.349 has insecure file permissions on its RockstarService.exe that allow authenticated users to replace it with malicious code. This enables privilege escalation to SYSTEM/administrator level access. All users running this vulnerable version are affected.
💻 Affected Systems
- Rockstar Games Launcher
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise - attackers create new administrator accounts, install persistent malware, steal credentials, and gain complete control over the system.
Likely Case
Local privilege escalation leading to malware installation, credential theft, and lateral movement within the network.
If Mitigated
Limited to user-level access with no privilege escalation possible.
🎯 Exploit Status
Exploit requires authenticated user access and involves simple file replacement operations. Proof-of-concept code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Later versions than 1.0.37.349
Vendor Advisory: https://socialclub.rockstargames.com/rockstar-games-launcher
Restart Required: Yes
Instructions:
1. Open Rockstar Games Launcher 2. Check for updates in settings 3. Install latest version 4. Restart computer
🔧 Temporary Workarounds
Restrict RockstarService.exe permissions
windowsManually set proper file permissions to prevent unauthorized modification
icacls "C:\Program Files\Rockstar Games\Launcher\RockstarService.exe" /inheritance:r /grant:r "SYSTEM:(F)" /grant:r "Administrators:(F)" /deny "Users:(M)"
Disable RockstarService
windowsTemporarily disable the vulnerable service
sc config RockstarService start= disabled
sc stop RockstarService
🧯 If You Can't Patch
- Uninstall Rockstar Games Launcher completely
- Implement strict endpoint monitoring for file modification attempts on RockstarService.exe
🔍 How to Verify
Check if Vulnerable:
Check RockstarService.exe file permissions - if Users group has Modify/Write permissions, system is vulnerableCheck Version:
Check launcher version in Settings > About or examine file properties of RockstarService.exeVerify Fix Applied:
Verify RockstarService.exe permissions only allow SYSTEM and Administrators full control, and check launcher version is newer than 1.0.37.349📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing file permission changes to RockstarService.exe
- Unexpected service restarts of RockstarService
- Creation of new administrator accounts
Network Indicators:
- Unusual outbound connections from RockstarService.exe
- SMB/network scanning originating from systems with Rockstar Launcher
SIEM Query:
EventID=4688 AND ProcessName='RockstarService.exe' AND CommandLine CONTAINS 'net user' OR EventID=4663 AND ObjectName LIKE '%RockstarService.exe%'