Unquoted Service Path
Introduction
When a service is created whose executable path contains spaces and isnβt enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.
For example, consider we have the following executable path. C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe
In order to run SomeExecutable.exe, the system will interpret this path in the following order from 1 to 5.
C:\Program.exe
C:\Program Files\A.exe
C:\Program Files\A Subfolder\B.exe
C:\Program Files\A Subfolder\B Subfolder\C.exe
C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe If
C:\Program.exe
is not found, thenC:\Program Files\A.exe
would be executed. IfC:\Program Files\A.exe
is not found, thenC:\Program Files\A Subfolder\B.exe
would be executed and so on.
Considering we have the write permissions in any of the spaced folders above, we as an attacker can drop our malicious executable in that folder to get a reverse shell as SYSTEM.
For example, consider we have a low privileged shell with username sumit, then, we can drop our malicious executable B.exe
at the path C:\Program Files\A Subfolder\
(considering sumit has write access to this folder), i.e. C:\Program Files\A Subfolder\B.exe
.
List Services with Unquoted Service Path
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
This command finds the service name, executable path, display name of the service and auto starts in all the directories except C:\Windows\ (since by default there is no such service which has spaces and is unquoted in this folder). Also, we need to exclude those services that are enclosed within the double quotes.
Last updated