5.1.4 - Unquoted Service Path

Unquoted Service Path

8 - Unquoted Service Path | Windows Privilege Escalation

The unquoted service path vulnerability arises when a Windows service binary's path contains spaces but lacks proper quotation marks. This leads the operating system to search for the service binary using a specific sequence of rules, potentially allowing an attacker to exploit the path traversal behavior.

When starting a service, Windows interprets its binary path as specified in the service configuration. If the path contains spaces and is unquoted, the system checks multiple potential executable paths in order, which can lead to unintended execution.

Example Service Configuration

SERVICE_NAME: SimpleService
    BINARY_PATH_NAME: C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe

If the above path is unquoted, Windows will attempt to execute the following binaries in this order:

1. C:\Users\Quickemu\Downloads\Example.exe

2. C:\Users\Quickemu\Downloads\Example Directory\Another.exe

3. C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe

PowerUp

• List path for windows services:

Get-WmiObject -Class win32_service | select pathname

• Get services with unquoted paths and a space in their name:

Get-ServiceUnquoted -Verbose

• Get services where the current user can write to its binary path and change arguments to the binary:

Get-ModifiableServiceFile -Verbose

• Get the services whose configuration current user can be modified:

Get-ModifiableServiceFile -Verbose

• Override and Update rights of an existing service

sc.exe sdshow snmptrap

Labs

• Learning Object 5 lab