Windows Unquoted Service Path

Privilege escalation techniques on Windows.

• Unquoted Service Paths (Red Teaming Experiments)

Use this technique when we do not have access to replace the binary executed by a service, but:

• We have access to the service’s main directory and subdirectories
• The path of the binary to execute contains spaces, but the service is configured without quotes to escape spaces.

Detect the vulnerability

Known vulnerabilities

searchsploit unquoted

Services with path containing spaces without quotes

wmic service get name,pathname,startmode | findstr /i /v "c:\windows\\" | findstr /i /v """

sc query <service name>

Running services

powershell
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

Exploit

This was tested. Be careful, Microsoft’s documentation is sometimes wrong about this…

For example, a service uses program:

C:\Program Files (x86)\Sync Breeze Enterprise\bin\syncbrs.exe

Without using quotes in the service configuration, characters after spaces will be treated as potential program arguments. Windows will search in this order:

C:\Program.exe
C:\Program Files (x86)\Sync.exe
C:\Program Files (x86)\Sync Breeze Enterprise\bin\syncbrs.exe

To exploit, create the malicious executable in one of these paths and restart the service.

This is a design decision by Microsoft to run the service as described. The space is treated as an optional path to explore for that program. The fix is to use quotes.