In Windows environments when a service is started the system is attempting to find the location of the executable in order to successfully launch the service. If the executable is enclosed in quote tags “” then the system will know where to find it. However if the path of where the application binary is located doesn’t contain any quotes then Windows will try to find it and execute it inside every folder of this path until they reach the executable.

This can be abused in order to elevate privileges if the service is running under SYSTEM privileges.

Method 1 – Manual Exploitation

The first step is to try and discover all the services that are running on the target host and identify those that are not enclosed inside quotes.

The following command can be used as a quick way for this identification:

wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””

Identification of Unquoted Service Path

Identification of Service without Quotes

The next step is to try to identify the level of privilege that this service is running. This can be identified easily:

List of Services

Vulnerable Service Running as System

Since the service is running as SYSTEM and is not enclosed in quote tags the final check is to determine if standard users have “Write” access in the directory of where the service is located or in any previous directory like C:\ or C:\Program Files (x86)\. Folder permissions can be identified with the use of a Windows built-in tool called icacls (Integrity Control Access Control Lists):

File Permissions Check for Unquoted Service

Identification of Write Access

The users in the Lenovo folder have the ability to write content (W) which means that it is possible to generate a malicious binary and plant this executable inside that folder. In that way when the service will be restarted, Windows will launch this executable instead of the legitimate one by giving SYSTEM privileges to the user.

Metasploit can be used in order to generate the binary that needs to be dropped into the target system.

Unquoted Service Path - Payload Generation

Unquoted Service Path – Payload Generation

Metasploit Binary

Replacing the original binary with the Metasploit payload

From Metasploit a listener needs to be configured so the payload can establish a connection back to the system of the attacker:

Configuring the Metasploit Listener

Configuring the Metasploit Listener

From the moment that the service will be restarted the payload will be executed and it will return a Meterpreter session with the privileges that the original service had which in this case it was SYSTEM:

Restarting the Vulnerable Service

Restarting the vulnerable service

Unquoted Service Path - Privilege Escalation to System

Execution of Payload and Escalation of Privileges to SYSTEM

Method 2 – Metasploit

Metasploit Framework provides a module that can automatically check the target system for any vulnerable services, generate the payload, drop the binary into the target folder that has Write access, restart the service and remove the binary as soon as the payload is executed and a session is created.

In order to be able to use this module an existing Meterpreter session is needed.

Metasploit - Configuring the Trusted Service Path Module

Configuring the Trusted Service Path Metasploit Module

Privilege Escalation via Metasploit Trusted Service Path

Privilege Escalation via Metasploit Trusted Service Path

Method 3 – PowerSploit

PowerSploit can be used as well as a tool for discovery and exploitation of this issue as except of the script that it can identify all the services running on the system without quote tags it can also generate a binary that will add a user into the local administrator group.

Discovery of Unquoted Services with PowerSploit

Discovery of Unquoted Service with PowerSploit

As it can be seen above the Get-ServiceUnquoted script not only discovered the service but it does all the other necessary checks as well like: identification of the path that users have Write access, discovery of the privileges that the service is running (which in this case is LocalSystem) and determination of whether a user can restart the service. Additionally it gives the PowerShell function to generate the binary in order to exploit this issue.

By executing the Write-ServiceBinary function PowerSploit will generate an executable into the specified path with a simple payload that it will try to add the user “john” into the local administrators group when the service will be restarted.

Generation of the Service Binary with PowerSploit

Generation of the Service Binary with PowerSploit

PowerSploit - Restart the Service

PowerSploit – Restarting the Service

The verification that the user has been created and added into the local administrator group can be done with the following command:

PowerSploit - Local Admin Verification

Verification that the user has been created and added to the local admins group

Conclusion

In nowadays the majority of the applications are enclosed quote tags. However there are some major vendors that still release application configured that way. Additionally it should be noted that in internal penetration tests a lot of custom applications are vulnerable to this issue and it is always a good practice to check for them.

So in order to be able to successfully exploit this issue for privilege escalation the following requirements needs to be in place into the target host:

  • An application executable that is not enclosed in quote tags
  • The application needs to run under the privileges of SYSTEM
  • Users should have Write access in one of the directories of the original binary path
  • Users should be able to restart the service
Advertisements