CVE-2022-29320
📋 TL;DR
MiniTool Partition Wizard v12.0 has an unquoted service path vulnerability that allows attackers with local access to escalate privileges to SYSTEM level by placing a malicious executable in a specific directory path. This affects all users running the vulnerable version of the software on Windows systems.
💻 Affected Systems
- MiniTool Partition Wizard
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM privilege escalation leading to complete system compromise, persistence installation, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation from a standard user account to SYSTEM privileges, enabling installation of malware, disabling security controls, or accessing protected system resources.
If Mitigated
Limited impact if proper access controls prevent unauthorized users from writing to system directories and if endpoint protection blocks suspicious service creation.
🎯 Exploit Status
Exploit requires local access and ability to create files in a writable directory that appears in the unquoted service path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 12.1 or later
Vendor Advisory: https://www.minitool.com/partition-manager/partition-wizard-home.html
Restart Required: Yes
Instructions:
1. Download and install MiniTool Partition Wizard version 12.1 or later from the official website. 2. Uninstall the vulnerable version 12.0. 3. Restart the system to ensure the updated service is running.
🔧 Temporary Workarounds
Apply proper service path quoting
windowsManually edit the service configuration to use quotes around the service executable path
sc config "ServiceName" binPath= "\"C:\Program Files\MiniTool Partition Wizard 12.0\pwservice.exe\""
Restrict directory permissions
windowsSet restrictive permissions on directories in the service path to prevent unauthorized file creation
icacls "C:\Program Files\MiniTool" /deny Everyone:(OI)(CI)W
🧯 If You Can't Patch
- Remove or disable the vulnerable MiniTool Partition Wizard service entirely
- Implement strict access controls to prevent unauthorized users from writing to system directories
🔍 How to Verify
Check if Vulnerable:
Check if MiniTool Partition Wizard version 12.0 is installed and examine the service path for unquoted spaces using: sc qc "MiniTool Service"Check Version:
Check program version in Control Panel > Programs and Features or run: wmic product where name="MiniTool Partition Wizard" get versionVerify Fix Applied:
Verify the installed version is 12.1 or later and that the service path is properly quoted with: sc qc "MiniTool Service"📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service creation/modification events (Event ID 7045)
- Unexpected service starts from unusual paths
- File creation in system directories by non-admin users
Network Indicators:
- No specific network indicators as this is a local exploit
SIEM Query:
EventID=7045 AND (ServiceName="MiniTool*" OR ImagePath="*MiniTool*")