Apr 28 2022 06:40 PM - edited Apr 29 2022 06:59 AM
Hi Folks,
This could be irrelevant as the issue goes back to few years and Microsoft may have already fixed it but, just wanted verify/confirm.
Windows Unquoted Path Enumeration vulnerability was identified back in 2013 (or may be even earlier). In simple terms, when a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.
Ref - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8...
So my question is, is this still a vulnerability in the modern versions of Windows 10,11?
Appreciate any inputs/recommendations!
Apr 28 2022 10:58 PM - edited Apr 28 2022 11:00 PM
Apparently there still seems to be a lot of applications with this vulnerability out there but not necessarily mean that falls under Microsoft?. I'd imagine it simply means that you should update the application as soon as the 3rd party release a fix.
Ref - https://www.cvedetails.com/vulnerability-list/cweid-428/vulnerabilities.html
May 04 2022 01:10 AM
SolutionFeb 27 2023 08:28 AM
How do you know if it succeeds. My vulnerability solution indicates the existence of the threat but does not specify the reg keys that are unquoted for the server KDSERVICE (Kyocera Printer Driver)
Apr 26 2023 01:18 PM
I managed to replicate this. Just copy 'calc.exe' to your c:\ and rename it as 'documents.exe' and another copy as 'program.exe'.
Now every time you restart your computer, a calculator will open up.
This happens because start up processes look for "C:\Program Files\*" but end up running "C:\program.exe" with rest of the code items as arguments.
In reality, if someone malicious gets access to such an extent that they are able to place an executable on your c: drive, I call that checkmate anyways.
Apr 26 2023 01:21 PM
May 04 2022 01:10 AM
Solution