search

Unquoted Service Paths

This attack relies on windows find an executable path when it's Unquoted.

hashtag
Introduction

When the service starts the CreateProcess function execute, this function receives as a parameter lpApplicationName which is used to specify the path of the binary file. If the provided path is unquoted and include space, Then the windows service will interpreted it in various ways.

For example the path C:\Program Files\program folder\binary.exe will used in the following order: 

C:\Program.exe
C:\Program Files\program.exe
C:\Program Files\program folder\binary.exe

hashtag
Enumeration

Searching for vulnerable services:

Get-CimInstance -ClassName win32_service | Select Name,State,PathName
wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """

Checking permission to create files in execute paths:

icacls "<path>"

The table below describes the permissions definitions icacls results:

Mask
Permissions

F

Full access

M

Modify access

RX

Read and execute access

R

Read-only access

W

Write-only access

hashtag
Exploit

The process is pretty similar to Service Binary Hijacking

  1. Creating The Malicious Binary

  2. Triggering the Execution

hashtag
Automated Process

It is possible to automate the process using well known tool called PowerUp from PowerSploit Collection:

LogoPowerSploit/Privesc/PowerUp.ps1 at master · PowerShellMafia/PowerSploitGitHubchevron-right

Downloading PowerUp.ps1:

Bypassing Execution Policy:

Importing PowerUp.ps1:

Enumerate services with unquoted paths:

Exploiting by creating a malicious binary (the default behavior is to create a new local user called john with the password Password123!)

Triggering the exploit by restarting the service

hashtag
References

LogoWindows-Local-Privilege-Escalation-Cookbook/Notes/UnquotedServicePath.md at master · nickvourd/Windows-Local-Privilege-Escalation-CookbookGitHubchevron-right
UnquotedServicePath
PreviousService DLL HijackingNextScheduled Tasks

Last updated