Unlocking the Mystery of Unquoted Service Paths: Another Opportunity for Privilege Escalation 

Introduction 

What is an unquoted service path and why does it matter? This blog will go over what an unquoted service path looks like, how an attacker enumerates and exploits them, and lastly how you can audit your own services and ensure they are hardened against this vulnerability. 

An unquoted service path occurs when a service is installed using a file path that contains spaces and is not in quotes. The other condition that needs to be present is for the path to have write permissions for the current user, where it can then be abused by an attacker. Attackers can abuse this because of how Windows checks for the service executable sequentially, taking the file path one string at a time until it reaches the next executable.  

It will attempt to run in the following order: 

1. C:\Program.exe (Malicious service binary will run if attacker can write to C:\) 
2. C:\Program Files\inventory.exe (Malicious service binary will run if attacker can write to Program Files) 
3. C:\Program Files\Inventory Service\inventory svc.exe (Finally arriving at the specified path) 

Unquoted service paths can be present due to either user or installer error. The presence of this so-called unquoted service path matters because an attacker can enumerate these service paths and leverage them for privilege escalation. It is worth noting, that this not only gives an attacker an avenue for local privilege escalation, but if the service is set to run as a domain user, or worse, a Domain Admin, then the attacker will inherit the permissions and groups of that account, arming the attacker with even more dangerous capabilities. 

In the Trenches…  

Let’s examine some of the common unquoted service paths we’ve seen in our customers’ environments. 

C:\Program Files\{REDACTED}\{REDACTED}\ServiceHost.exe

C:\Program Files\{REDACTED}\bin\{REDACTED}.exe

C:\WINDOWS\system32\{REDACTED}\Intel(R) Audio Service\IntelAudioService.exe

C:\WINDOWS\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe

C:\Program Files (x86)\{REDACTED}\{REDACTED}\{REDACTED} Management Service\{REDACTED}AppxService.exe

Incident where an unquoted service path was seen being abused in the wild on a remote system: 

Scenario 

An attacker has gained initial access to a Windows server as a standard domain user and is looking to escalate their privileges to Domain Admin. They’ve exhausted all other paths for privilege escalation and then decide to further enumerate the target system for local privilege escalation. While continuing their enumeration, they stumble upon an unquoted service path vulnerability in a local inventory service. They determine that this service is running as a service account that happens to be a domain admin. This is how they will achieve their goal to move vertically to one of the domain controllers. They can then abuse the unquoted service path vulnerability to introduce their custom C2 payload into the environment via a malicious service binary and escalate to domain admin, and then will proceed to run ransomware on the domain controller. 

Now, let’s go through the phases of this attack chain. 

Enumeration 

• To enumerate systems for this vulnerability, attackers may utilize the following tools: 
• wmic 
• sc 
• icacls 
• Sharpup or other pre-built tools 

Manual Enumeration: 

1. The attacker uses wmic to enumerate unquoted service paths: 

2. Next, the attacker uses sc to find the START_TYPE, BINARY_PATH_NAME, and SERVICE_START_NAME: 

3. The attacker sees that the service is running as the domain user ‘NORTH\inventory_svc’ and decides to use the following command to determine their groups: 

(They determine that this user is part of the domain admins group) 

4. The attacker uses icacls to see what permissions are set on the service path 

Tool Enumeration: 

• To make things easier for the attacker, they can execute the following command with arguments: 
• SharpUp.exe audit UnquotedServicePath 

So, what does an attacker know at this point? 

• There is a vulnerable service named “Inventory Service”. 
• The service automatically starts when the computer is booted 
• The service is running as a domain admin 
• BUILTIN\USERS can write to the service path 
• C:\Program\Inventory Service\inventory is modifiable 

Exploitation 

1. The attacker first verifies the service is running with the command: 

2. Next, the attacker downloads a C2 payload to the “C:\Program Files\Inventory Service” folder and gets a callback in the C2 admin panel as inventory_svc 

3. The attacker will then use the domain admin’s account to access the domain controller and deploy ransomware 

Prevention and Best Practices 

To harden systems against this vulnerability, ensure the service configuration contains quotes around the executable path, and most importantly, audit the permissions of the service path and executable to prevent unwanted changes. Once an unquoted service path is discovered you need to edit the service configuration to enclose the path in double quotes, like in the following example: 

(Notice the space after binPath= is required and escape the quotes (\”) around the path.) 

• This ensures that Windows interprets the full path as a single executable and doesn’t mistakenly attempt to run something like: 

    C:\Program.exe 

    C:\Program Files\Example.exe 

• One final measure against modifying an unquoted service path is to utilize icacls to remove modify permissions from standard users while still allowing necessary read/execute access.  

Conclusion 

In conclusion, understanding and mitigating unquoted service path exploitation is crucial for defending against these seemingly innocuous configuration oversights. By understanding how attackers enumerate and exploit these paths, and by diligently auditing your own services for their presence, you can proactively harden your systems. Audit services ensuring service paths are quoted if they contain spaces. Audit permissions ensuring there are no weak permissions in place for service executable paths and accompanying service executables. Auditing services and ensuring they adhere to these best practices will protect systems against Unquoted Service Path vulnerabilities, giving you and your customers peace of mind that they are protected from one less privilege escalation vulnerability. 

Author: Thomas Fender