CVE-2021-47852 Overview
CVE-2021-47852 is a privilege escalation vulnerability affecting Rockstar Games Launcher version 1.0.37.349. The vulnerability exists due to insecure file permissions (CWE-276) that allow authenticated users to modify the service executable RockstarService.exe. Attackers with local access can replace this executable with a malicious binary to create new administrator accounts and gain elevated system privileges.
Critical Impact
Local authenticated attackers can escalate privileges to SYSTEM level by exploiting weak file permissions on the Rockstar Games Launcher service executable, potentially leading to complete system compromise.
Affected Products
- Rockstar Games Launcher version 1.0.37.349
- Systems running RockstarService.exe with default insecure permissions
Discovery Timeline
- 2026-01-21 - CVE CVE-2021-47852 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2021-47852
Vulnerability Analysis
This vulnerability stems from improper permission configuration on the RockstarService.exe executable file. When the Rockstar Games Launcher is installed, the service executable is configured with weak file system permissions that allow standard authenticated users write access to the binary. Since Windows services typically run with elevated privileges (often as SYSTEM), replacing the legitimate service executable with a malicious payload results in arbitrary code execution with those elevated privileges when the service restarts.
The attack requires local access and valid user credentials, but does not require administrative privileges to execute. Once exploited, an attacker can perform actions such as creating new administrator accounts, installing persistent backdoors, or extracting sensitive data from the compromised system.
Root Cause
The root cause is CWE-276: Incorrect Default Permissions. The installation routine for Rockstar Games Launcher sets overly permissive Access Control Lists (ACLs) on the RockstarService.exe file, granting write permissions to non-administrative users. This violates the principle of least privilege and allows unauthorized modification of a privileged service binary.
Attack Vector
The attack vector is local, requiring an authenticated user to have access to the file system where Rockstar Games Launcher is installed. The attacker identifies the RockstarService.exe file location, verifies that write permissions are available, and then replaces the legitimate binary with a malicious executable. Upon the next service restart (which can be triggered by a system reboot or service restart command), the malicious code executes with SYSTEM privileges.
The exploitation process typically involves:
- Identifying the insecure file permissions on RockstarService.exe
- Creating a malicious executable that performs privileged actions (e.g., creating an administrator account)
- Replacing the legitimate service binary with the malicious payload
- Waiting for or triggering a service restart to execute the payload
For detailed technical information about this vulnerability, refer to the Exploit-DB #49739 entry and the VulnCheck Advisory.
Detection Methods for CVE-2021-47852
Indicators of Compromise
- Unauthorized modifications to RockstarService.exe file hash or timestamp
- New administrator accounts created on systems with Rockstar Games Launcher installed
- Unexpected changes to file permissions on Rockstar Games Launcher installation directory
- Suspicious process execution spawned from RockstarService.exe
Detection Strategies
- Monitor file integrity of RockstarService.exe using hash-based verification
- Audit Windows Security Event logs for account creation events (Event ID 4720) correlated with Rockstar service activity
- Implement endpoint detection rules for service executable modifications in protected directories
- Monitor for privilege escalation patterns involving Windows service executables
Monitoring Recommendations
- Enable Windows Audit File System policy for the Rockstar Games Launcher installation directory
- Configure SIEM alerts for unauthorized modifications to service executables
- Deploy behavioral analytics to detect service binary replacement attack patterns
- Regularly audit file permissions on installed Windows services
How to Mitigate CVE-2021-47852
Immediate Actions Required
- Verify and correct file permissions on RockstarService.exe to restrict write access to administrators only
- Audit systems for signs of compromise including unauthorized administrator accounts
- Update Rockstar Games Launcher to the latest available version
- Implement application whitelisting to prevent unauthorized executable replacement
Patch Information
Users should update to the latest version of Rockstar Games Launcher available from the official Rockstar Games Launcher page. Review the VulnCheck Advisory for additional remediation guidance.
Workarounds
- Manually correct file permissions using Windows ACL tools to remove write access for non-administrative users
- Implement endpoint protection solutions that monitor and prevent service executable modifications
- Use Windows Security Policy to enforce strict permissions on service directories
- Consider running the application with restricted privileges or in a sandboxed environment until a patch is applied
# Example: Correcting file permissions on Windows (run as Administrator)
icacls "C:\Program Files\Rockstar Games\Launcher\RockstarService.exe" /inheritance:r
icacls "C:\Program Files\Rockstar Games\Launcher\RockstarService.exe" /grant:r Administrators:F
icacls "C:\Program Files\Rockstar Games\Launcher\RockstarService.exe" /grant:r SYSTEM:F
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
