Unquoted Service Path
Introduction
We can use this attack when we have write permissions to a service's main directory or sub directories but cannot replace files within them. Each Windows service maps to an executable file that will be run when the service is started. If the path of this file contains one or more spaces and is not enclosed within quotes, it may be turned into an opportunity for a privilege escalation attack.
When a service is started and a process is created, the Windows CreateProcess function is used. Reviewing the first parameter of the function, IpApplicationName is used to specify the name and optionally the path to the executable file. If the provided string contains spaces and is not enclosed within quotation marks, it can be interpreted in various ways because it is unclear to the function where the file name ends and the arguments begin. To determine this, the function starts interpreting the file path from left to right until a space is reached. For every space in the file path, the function uses the preceding part as file name by adding .exe and the rest as arguments.
An example with the unquoted service binary path C:\Program Files\My Program\My Service\service.exe. When Windows starts the service, it will use the following order to try to start the executable file due to the spaces in the path.
C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exeIn order toe exploit this and subvert the original unquoted service call, we must create a malicious executable, place it in a directory that corresponds to one of the interpreted paths, and match its name to the interpreted filename. Then, once the service is started, our file gets executed with the same privileges as the running service.
Enumerate Running and Stopped Services
You can enumerate services using the Get-CimInstance cmdlet:
PS C:\Users\steve> Get-CimInstance -ClassName win32_service | Select Name,State,PathName
Name State PathName
---- ----- --------
...
GammaService Stopped C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe
...A more effective way to identify spaces in the paths and missing quotes is using the WMI command line (WMIC) utility. We can enter service to obtain service information and the verb get with name and pathnam as arguments to retrieve only these specific property values. We'll pipe the output of this command to findstr with /i for case-insensitive searching and /v to only print lines that don't match. As the argument for this command, we'll enter "C:\Windows\" to show only services with a binary path outside of the Windows directory. We'll pipe the output of this command to another findstr command, which uses """ as argument to print only matches without quotes.
Test User Permission Over Service and Path
After determining a potentially vulnerable service binary, test your ability to start and stop the service
When have write permissions over the Enterprise Apps path
Place Malicious Binary in the Path
Windows will be looking for the binary in the following steps:
We will be able to place a malicious executable as "Current.exe" in the Enterprise Apps directory.
When we start the service again, you can expect an error as the service cannot start but the code was successfully executed:
Using PowerUp to Identify Unquoted Service Path
Last updated