5.1.4 - Unquoted Service Path
Unquoted Service Path
The unquoted service path vulnerability arises when a Windows service binary's path contains spaces but lacks proper quotation marks. This leads the operating system to search for the service binary using a specific sequence of rules, potentially allowing an attacker to exploit the path traversal behavior.
When starting a service, Windows interprets its binary path as specified in the service configuration. If the path contains spaces and is unquoted, the system checks multiple potential executable paths in order, which can lead to unintended execution.
Example Service Configuration
SERVICE_NAME: SimpleService
BINARY_PATH_NAME: C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe
If the above path is unquoted, Windows will attempt to execute the following binaries in this order:
C:\Users\Quickemu\Downloads\Example.exe
C:\Users\Quickemu\Downloads\Example Directory\Another.exe
C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe
PowerUp
List path for windows services:
Get-WmiObject -Class win32_service | select pathname
Get services with unquoted paths and a space in their name:
Get-ServiceUnquoted -Verbose
Get services where the current user can write to its binary path and change arguments to the binary:
Get-ModifiableServiceFile -Verbose
Get the services whose configuration current user can be modified:
Get-ModifiableServiceFile -Verbose
Override and Update rights of an existing service
sc.exe sdshow snmptrap
Labs
Last updated