Skip to main content

Unquoted service path

·283 words·2 mins

description: Abusing weak services security, such as Unquoted Service Path


The following actions require a set of conditions to be successful:

  • Service binPATH contains spaces
  • Service binPATH is not enclosed in quotation marks
  • Modify / Write privileges on one of the folders along the service binPATH
  • Service is set to auto-start or we have permission to start/restart it

Get Unquoted Service Path
#

List all the services for which the path contains spaces but not open/closed quotes

Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName

Get permissions of current user on a folder along the path
#

Check if the user you are in control of has write permission on a folder along the binPATH of the service.

icacls.exe <"path">
Get-ACL -Path <"path"> | fl
.\accesschk64.exe -wvud <"path">

Get permission on service status
#

This is to know if we can simply restart the service or we have to find another way to start it.
For example, if we can’t manually restart it but its set as Autostart, restart the whole machine.

$acl = get-acl -path <path>
ConvertFrom-SddlString -Sddl $acl.Sddl
icacls.exe -path <path>
get-acl -path <path> | ft
sc.exe sdshow <service name> showrights

Check service startup mode
#

Get-Service <service name> | select StartType

Drop an executable that will be executed at service start
#

The executable name must match the part of the name before the space, of the folder that we have permission to write to. For example:

C:\ProgramFiles\This is\A_Test\test.exe <- bin path, we can write on “C:\ProgramFiles\This is
C:\ProgramFiles\This.exe <- name of the executable we dropped in the folder\

Have a look on how a process works
https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa