Unquoted Service Paths
Table of contents
Vulnerability
Windows services are basically executables that are automatically run by the system. They are configured with a path. If this path contains spaces that are not quoted, the operating system will interpret them as terminator characters. For instance, given the unquoted path C:\Program Files\My Folder\Hello World.exe, Windows will try to run in the order:
C:\Program.exeC:\Program Files\My.exeC:\Program Files\My Folder\Hello.exeC:\Program Files\My Folder\Hello World.exe
If you have permissions to create an executable in one of the 3 first paths, you could execute whatever you want to escalate your privileges on the system.
Prerequisites
- Low privileged access to the targeted system.
Exploit
First, you need to identified services with unquoted paths that could be exploited.
# Enumerate service paths using wmic.
wmic service get name, pathname
# Enumerate running services using native PowerShell.
Get-CimInstance -ClassName win32_service | Select-Object Name, State, PathName | Where-Object {$ç.State -like 'Running'}
It can also be achieved by tools such as SharpUp or WinPEAS.
.\SharpUp.exe audit UnquotedServicePath
.\WinPEAS.exe
Once identified, you need to check if you have the correct permissions to drop a payload in either of possible paths.
Get-Acl -Path "C:\Program Files\My Folder" | Format-List
If a group you belongs to has necessary permissions (i.e. CreateFiles or FullControl) to drop an executable, you can perform the attack. Once your executable in place, you can either restart the associated process (if you are local administrator) or wait for a system reboot.
If you’re too lazy (and I know you are), you can use SharpUp or WinPEAS to automatically enumerate unquoted service paths that can be exploited.
.\SharpUp.exe audit UnquotedServicePath
.\WinPEAS.exe
Recommendations
- Quote Windows service paths with spaces.