Unquoted Service Paths

This is a another interesting attack vector as this involves abusing a function that has the provision to accomodate executables contained in a directory path that has spaces. CreateProcess function is used to start a service and the result is the creation of a process.

When the executable for the service is contained for example within a path - "C:\Program Files\Fun Games\XYZ Corp\executables\run.exe", that contain spaces and the path is not defined within quotes, then the function will try to execute in the following order,

1. C:\Program.exe

2. C:\Progam Files\Fun.exe

3. C:\Progam Files\XYZ.exe

4. C:\Program Files\Fun Games\XYZ Corp\executables\run.exe

There are couple of important things to be noted,

1. Unquoted directory path has to be used

2. Sufficient permissions should be available to write into the folders

3. User should have permission to restart the service or the service should be on auto-start on boot with the user having permission to restart the system

The first step can be covered by checking for running services along with their path using this command.

Check whether the user has permission to start/stop the service using this command.

Then icacls can be used to check the permissions of the folders.

Alternatively a powershell script called PowerUp.ps1 can be used to check whether this vulnerability exists. The PowerUp script can be downloaded to the system and the following commands can be used to check and abuse a vulnerable service,

powershell -ep bypass
. .\PowerUp.ps1
Get-UnquotedService
Write-ServiceBinary -Name 'ServiceName' -Path "C:\Program Files\Fun Games\XYZ Corp\executables\run.exe"

Once everything checks good, a malicious binary can be created to either add new users with admin permission or do a reverse shell back to your system.

Place the binary in the appropriate path, then restart the service or restart the system using this command.