In Windows environments when a service is started the system is attempting to find the location of the executable in order to successfully launch the service. If the executable is enclosed in quote tags “” then the system will know where to find it. However if the path of where the application binary is located doesn’t contain any quotes then Windows will try to find it and execute it inside every folder of this path until they reach the executable.

This can be abused in order to elevate privileges if the service is running under SYSTEM privileges.

Method 1 – Manual Exploitation

The first step is to try and discover all the services that are running on the target host and identify those that are not enclosed inside quotes.

The following command can be used as a quick way for this identification:

wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””

Identification of Unquoted Service Path
Identification of Service without Quotes

The next step is to try to identify the level of privilege that this service is running. This can be identified easily:

List of Services
Vulnerable Service Running as System

Since the service is running as SYSTEM and is not enclosed in quote tags the final check is to determine if standard users have “Write” access in the directory of where the service is located or in any previous directory like C:\ or C:\Program Files (x86)\. Folder permissions can be identified with the use of a Windows built-in tool called icacls (Integrity Control Access Control Lists):

File Permissions Check for Unquoted Service
Identification of Write Access

The users in the Lenovo folder have the ability to write content (W) which means that it is possible to generate a malicious binary and plant this executable inside that folder. In that way when the service will be restarted, Windows will launch this executable instead of the legitimate one by giving SYSTEM privileges to the user.

Metasploit can be used in order to generate the binary that needs to be dropped into the target system.

Unquoted Service Path - Payload Generation
Unquoted Service Path – Payload Generation
Metasploit Binary
Replacing the original binary with the Metasploit payload

From Metasploit a listener needs to be configured so the payload can establish a connection back to the system of the attacker:

Configuring the Metasploit Listener
Configuring the Metasploit Listener

From the moment that the service will be restarted the payload will be executed and it will return a Meterpreter session with the privileges that the original service had which in this case it was SYSTEM:

Restarting the Vulnerable Service
Restarting the vulnerable service
Unquoted Service Path - Privilege Escalation to System
Execution of Payload and Escalation of Privileges to SYSTEM

Method 2 – Metasploit

Metasploit Framework provides a module that can automatically check the target system for any vulnerable services, generate the payload, drop the binary into the target folder that has Write access, restart the service and remove the binary as soon as the payload is executed and a session is created.

In order to be able to use this module an existing Meterpreter session is needed.

Metasploit - Configuring the Trusted Service Path Module
Configuring the Trusted Service Path Metasploit Module
Privilege Escalation via Metasploit Trusted Service Path
Privilege Escalation via Metasploit Trusted Service Path

Method 3 – PowerSploit

PowerSploit can be used as well as a tool for discovery and exploitation of this issue as except of the script that it can identify all the services running on the system without quote tags it can also generate a binary that will add a user into the local administrator group.

Discovery of Unquoted Services with PowerSploit
Discovery of Unquoted Service with PowerSploit

As it can be seen above the Get-ServiceUnquoted script not only discovered the service but it does all the other necessary checks as well like: identification of the path that users have Write access, discovery of the privileges that the service is running (which in this case is LocalSystem) and determination of whether a user can restart the service. Additionally it gives the PowerShell function to generate the binary in order to exploit this issue.

By executing the Write-ServiceBinary function PowerSploit will generate an executable into the specified path with a simple payload that it will try to add the user “john” into the local administrators group when the service will be restarted.

Generation of the Service Binary with PowerSploit
Generation of the Service Binary with PowerSploit
PowerSploit - Restart the Service
PowerSploit – Restarting the Service

The verification that the user has been created and added into the local administrator group can be done with the following command:

PowerSploit - Local Admin Verification
Verification that the user has been created and added to the local admins group

Conclusion

In nowadays the majority of the applications are enclosed quote tags. However there are some major vendors that still release application configured that way. Additionally it should be noted that in internal penetration tests a lot of custom applications are vulnerable to this issue and it is always a good practice to check for them.

So in order to be able to successfully exploit this issue for privilege escalation the following requirements needs to be in place into the target host:

  • An application executable that is not enclosed in quote tags
  • The application needs to run under the privileges of SYSTEM
  • Users should have Write access in one of the directories of the original binary path
  • Users should be able to restart the service

2 Comments

  1. your first example shows one overwriting the original binary. thats not abusing unqouted service path, thats just abusing poor permissions. I think you meant to create a new directory above the vulnerable one.

  2. Hi.
    Without “everyone” authority, I think it’s impossible.
    It is not possible to plant a EXE file in the path.
    Because need UAC privilege.
    Why is this a security issue?
    In my opinion, if the path where the vulnerability is found does not have the “user” privilege write and “everyone” privileges, it is not a vulnerability.

Leave a Reply to anon Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s