5.1.4 - Unquoted Service Path

Unquoted Service Path

8 - Unquoted Service Path | Windows Privilege Escalationdev-angelist.gitbook.io

The unquoted service path vulnerability arises when a Windows service binary's path contains spaces but lacks proper quotation marks. This leads the operating system to search for the service binary using a specific sequence of rules, potentially allowing an attacker to exploit the path traversal behavior.

When starting a service, Windows interprets its binary path as specified in the service configuration. If the path contains spaces and is unquoted, the system checks multiple potential executable paths in order, which can lead to unintended execution.

Example Service Configuration

SERVICE_NAME: SimpleService
    BINARY_PATH_NAME: C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe

If the above path is unquoted, Windows will attempt to execute the following binaries in this order:

C:\Users\Quickemu\Downloads\Example.exe
C:\Users\Quickemu\Downloads\Example Directory\Another.exe
C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe

PowerUp

List path for windows services:

Get-WmiObject -Class win32_service | select pathname

Get services with unquoted paths and a space in their name:

Get-ServiceUnquoted -Verbose

Get services where the current user can write to its binary path and change arguments to the binary:

Get-ModifiableServiceFile -Verbose

Get the services whose configuration current user can be modified:

Get-ModifiableServiceFile -Verbose

Override and Update rights of an existing service

sc.exe sdshow snmptrap

Labs

Learning Object 5 lab

Previous5.1.3 - GPO Abuse Next5.2 - Tools

Last updated 8 months ago

hashtagUnquoted Service Path

hashtagExample Service Configuration

hashtagPowerUp

hashtagLabs

Unquoted Service Path

Example Service Configuration

PowerUp

Labs