Privilege Escalation Flaw Found in GoPro Fusion Studio 1.2


GoPro Fusion Studio is a feature rich editing software that allows you to transform your content into pro-quality videos.


Unquoted privilege escalation that allows a user to gain system privileges. The service runs as system which allows a non-privileged user to launch a binary under those privileges by replacing the executable launched by the service.

Date - 27 Aug 2018

Version: GoPro Fusion Studio 1.2


Tested on: Win 10 Pro

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: GoProFusionDeviceDetectionService

       TYPE           : 10 WIN32_OWN_PROCESS

       START_TYPE         : 2 AUTO_START

       ERROR_CONTROL      : 1 NORMAL

       BINARY_PATH_NAME   : C:\Program Files\GoPro\Fusion Studio 1.2\GoProFusionDeviceDetection.exe


       TAG           : 0

       DISPLAY_NAME       : GoProFusionDeviceDetectionService

       DEPENDENCIES       :

       SERVICE_START_NAME : LocalSystem

       C:\Program Files\GoPro\Fusion Studio 1.2\GoProFusionDeviceDetection.exe

Humberto Cabrera, Senior Security Consultant

Copyright enableIT, LLC.

Reposting not permitted without written permission from enableIT®

Author retains full rights

Fabrice Mouret