CVE-2022-27095
📋 TL;DR
BattlEye anti-cheat software v0.9 contains an unquoted service path vulnerability that allows local attackers to escalate privileges to SYSTEM level by placing a malicious executable in a directory with a specific name. This affects systems running BattlEye v0.9 on Windows. Attackers need local access to the system to exploit this vulnerability.
💻 Affected Systems
- BattlEye Anti-Cheat
📦 What is this software?
Battleye by Battleye
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM privilege escalation leading to complete system compromise, persistence installation, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install malware, or access protected system resources.
If Mitigated
Limited impact with proper access controls, but still presents a security risk that should be patched.
🎯 Exploit Status
Exploit requires local access to the system. Public exploit code is available on Exploit-DB (50815). The vulnerability is straightforward to exploit once local access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.9.1 or later
Vendor Advisory: https://www.battleye.com/
Restart Required: Yes
Instructions:
1. Update BattlEye to version 0.9.1 or later. 2. Restart the system to ensure the updated service is running. 3. Verify the service path is properly quoted in the Windows service configuration.
🔧 Temporary Workarounds
Manually quote service path
windowsManually edit the BattlEye service configuration to use quoted paths
sc config "BattlEye Service" binPath= "\"C:\Program Files\BattlEye\BEService.exe\""
Restrict directory permissions
windowsSet strict permissions on directories in the BattlEye installation path to prevent unauthorized file creation
icacls "C:\Program Files\BattlEye" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(W)"
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local access to affected systems
- Monitor for suspicious file creation in BattlEye installation directories and service-related activities
🔍 How to Verify
Check if Vulnerable:
Check if BattlEye service path is unquoted: sc qc "BattlEye Service" | findstr BINARY_PATH_NAMECheck Version:
Check BattlEye version in Control Panel or via the service propertiesVerify Fix Applied:
Verify service path is quoted and BattlEye version is 0.9.1 or higher📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (process creation) showing unexpected executables running from BattlEye directories
- Windows Event ID 7045 (service installation) showing service path modifications
Network Indicators:
- Unusual outbound connections from BattlEye service or related processes
SIEM Query:
EventID=4688 AND (ProcessName="*BattlEye*" OR Image="*BattlEye*") AND NOT (CommandLine="*\"C:\\Program Files\\BattlEye\\*\"*")