cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Windows Unquoted Service Path Enumeration - Is this still a case in modern Windows (10, 11) ?

Manoj Karunarathne
Iron Contributor

‎Apr 28 2022 06:40 PM - edited ‎Apr 29 2022 06:59 AM

‎Apr 28 2022 06:40 PM - edited ‎Apr 29 2022 06:59 AM

Windows Unquoted Service Path Enumeration - Is this still a case in modern Windows (10, 11) ?

Hi Folks, 

 

This could be irrelevant as the issue goes back to few years and Microsoft may have already fixed it but, just wanted verify/confirm. 

Windows Unquoted Path Enumeration vulnerability was identified back in 2013 (or may be even earlier). In simple terms, when a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.

 

Refhttps://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8...

So my question is, is this still a vulnerability in the modern versions of Windows 10,11?  

 

Appreciate any inputs/recommendations!

 

 

89.1K Views
0 Likes
5 Replies
Reply
5 Replies
Manoj Karunarathne

‎Apr 28 2022 10:58 PM - edited ‎Apr 28 2022 11:00 PM

‎Apr 28 2022 10:58 PM - edited ‎Apr 28 2022 11:00 PM

Re: Windows Unquoted Service Path Enumeration - Is this still a case in modern Windows (10, 11) ?

Apparently there still seems to be a lot of applications with this vulnerability out there but not necessarily mean that falls under Microsoft?. I'd imagine it simply means that you should update the application as soon as the 3rd party release a fix.

 

i.e. CVE - CVE-2022-27050 (mitre.org) BitComet Service for Windows before version 1.8.6 contains an unquoted service path vulnerability.

 

Ref - https://www.cvedetails.com/vulnerability-list/cweid-428/vulnerabilities.html

0 Likes
Reply
best response confirmed by Manoj Karunarathne (Iron Contributor)
Manoj Karunarathne

‎May 04 2022 01:10 AM

‎May 04 2022 01:10 AM

Solution

Re: Windows Unquoted Service Path Enumeration - Is this still a case in modern Windows (10, 11) ?

The above response is the latest on this as I could not fetch anything specific to Microsoft on this. this script does a fantastic job on fixing the paths if there's any so if you happen to have this issue, It'd be really handy (hats off to those who contributed to this project!) - https://github.com/VectorBCO/windows-path-enumerate/
1 Like
Reply
juan21352

‎Feb 27 2023 08:28 AM

‎Feb 27 2023 08:28 AM

Re: Windows Unquoted Service Path Enumeration - Is this still a case in modern Windows (10, 11) ?

@Manoj Karunarathne 

How do you know if it succeeds. My vulnerability solution indicates the existence of the threat but does not specify the reg keys that are unquoted for the server KDSERVICE (Kyocera Printer Driver)

 

0 Likes
Reply
akashAhuja

‎Apr 26 2023 01:18 PM

‎Apr 26 2023 01:18 PM

Re: Windows Unquoted Service Path Enumeration - Is this still a case in modern Windows (10, 11) ?

@juan21352 

I managed to replicate this. Just copy 'calc.exe' to your c:\ and rename it as 'documents.exe' and another copy as 'program.exe'.

Now every time you restart your computer, a calculator will open up. 

This happens because start up processes look for "C:\Program Files\*" but end up running "C:\program.exe" with rest of the code items as arguments.

 

In reality, if someone malicious gets access to such an extent that they are able to place an executable on your c: drive, I call that checkmate anyways.

0 Likes
Reply
juan21352

‎Apr 26 2023 01:21 PM

‎Apr 26 2023 01:21 PM

Re: Windows Unquoted Service Path Enumeration - Is this still a case in modern Windows (10, 11) ?

Yes, locating the key under HKLM... Service I was able to manually add the quotes, also can be applied via GPO to add quotes updating a string
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Manoj Karunarathne (Iron Contributor)
Manoj Karunarathne

‎May 04 2022 01:10 AM

‎May 04 2022 01:10 AM

Solution

Re: Windows Unquoted Service Path Enumeration - Is this still a case in modern Windows (10, 11) ?

The above response is the latest on this as I could not fetch anything specific to Microsoft on this. this script does a fantastic job on fixing the paths if there's any so if you happen to have this issue, It'd be really handy (hats off to those who contributed to this project!) - https://github.com/VectorBCO/windows-path-enumerate/

View solution in original post

1 Like
Reply