HomeGitHubPortfolioTwitter/XMediumCont@ct

8 - Unquoted Service Path

Topics

  1. Introduction to the Windows Shells

  2. Windows Permissions

  3. Reverse Shells in Windows

  4. SeImpersonatePrivilege Exploitation

  5. On Cross Compilation

  6. Windows Services

  7. Weak Service Permissions

  8. Unquoted Service Path

  9. DLL Hijacking

  10. Always Install Elevated

  11. Files with Sensitive Data

  12. Windows Hashes

  13. Stored Credentials and the Windows Vault

  14. Scheduled Task

  15. Critical Registry Paths

  16. Useful Tools

  17. AMSI Bypass

Unquoted Service Path Vulnerability

The unquoted service path vulnerability arises when a Windows service binary's path contains spaces but lacks proper quotation marks. This leads the operating system to search for the service binary using a specific sequence of rules, potentially allowing an attacker to exploit the path traversal behavior.

When starting a service, Windows interprets its binary path as specified in the service configuration. If the path contains spaces and is unquoted, the system checks multiple potential executable paths in order, which can lead to unintended execution.

Example Service Configuration

If the above path is unquoted, Windows will attempt to execute the following binaries in this order:

  1. C:\Users\Quickemu\Downloads\Example.exe

  2. C:\Users\Quickemu\Downloads\Example Directory\Another.exe

  3. C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe

Attack Scenario

An attacker with write access to any of the intermediary directories can plant a malicious binary, such as Example.exe. When the service starts, Windows will execute the malicious binary instead of the intended service binary.

Exploiting Unquoted Service Paths

Exploit Steps

  1. Identify the Vulnerable Service View the service configuration:

  2. Create a Malicious Binary Generate a reverse shell binary:

  3. Place the Malicious Binary in a Targeted Path

  4. Restart the Service

When the service restarts, Windows will execute Example.exe instead of simpleService.exe, effectively hijacking the service.

Additional Examples

Example 1

For the binary path:

The following binaries will be checked in order:

  1. C:\Program.exe

  2. C:\Program Files.exe

  3. C:\Program Files (x86)\Company\Company.exe

  4. C:\Program Files (x86)\Company\Company App\App.exe

Example 2

For the binary path:

The following binaries will be checked in order:

  1. C:\Program\Cool.exe

  2. C:\Program\Cool Company\Cool.exe

  3. C:\Program\Cool Company\Cool Binary.exe

Enumeration of Unquoted Service Paths

Using winPEAS

winPEAS can identify unquoted service paths.

Example Output

Look for the following indicators in the output:

Fixing the Vulnerability

Fix Using RegEdit

  1. Open the Registry Editor (regedit.exe).

  2. Navigate to:

  3. Locate the ImagePath key and add quotes around the binary path:

Fix Using sc.exe

Use the sc.exe command to update the service path with quotes:

Other Resources

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!

Previous7 - Weak Service PermissionsNext9 - DLL Hijacking

Last updated