Windows Privilege Escalation Via Unquoted Service Paths

Overview

In a Windows environments it’s possible to escalate your privileges via misconfigured services. The most common ways for this to happen is insecure permissions on the service executable, unquoted service paths, and insecure permissions. In this article I will walk you through the exploitation of unquoted service paths and how to fix them.

Unquoted Service Paths

If you would like to follow along with this article all the examples used are from the Windows Privilege Escalation room on TryHackMe.

To understand this vulnerability we must first understand how windows looks for executables when quotes are not present. Let’s take the following service for example.

Querying service configuration

We can see the intended path to the executable in the BINARY_PATH_NAME argument. However since there are now quotes Windows will look for the service executable in the following order.

  • C:\MyPrograms\Disk.exe
  • C:\MyPrograms\Disk Sorter.exe
  • C:\MyPrograms\Disk Sorter Enterprise\bin\disksrs.exe

If we are able to create any of these executables before the intended one then the service will run our arbitrary executable under the permissions of the service (usually SYSTEM). In order for this to work you must be able to write to the directory the service is installed under. In this example the service is installed under C:\MyPrograms, we can check the permissions of this directory using icacls.

Checking directory permissions with icacls

In this example the BUILTIN\USERS group has AD and WD permissions on the C:\MyPrograms directory, these give us write and append privileges respectively. From here all we need to do is create our executable and place it one of the previously mentioned locations.

Generating the executable
Downloading the executable and placing it in the proper location

With our executable in place we can restart the service and get a shell.

Restarting the service
Catching the shell

Caveats

Exploiting unquoted services paths does require some permissions and some mess ups on the blue team side. A common issue to run into would be that by default most services are installed under C:\Program Files or C:\Program Files (x86) directory which are both only writable by administrator accounts. Another issue is that often you will not have permissions to start/stop the service, in this case its possible to restart the computer and achieve execution that way if it is an auto-start service but in many situations restarting the computer can cause unacceptable downtime.

Remediation

To protect yourself from this kind of vulnerability all you need to do is put quotes around your service paths. This command will return all service paths with spaces and no quotes so you can fix them via the registry or the command line.

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

References

https://tryhackme.com/room/windowsprivesc20

https://isgovern.com/blog/how-to-fix-the-windows-unquoted-service-path-vulnerability/

Leave a Reply

Your email address will not be published. Required fields are marked *