Unquoted Service Path
MITRE ATT&CKโข Hijack Execution Flow - Path Interception by Unquoted Path - Technique T1574.09
Theory
Windows privilege escalation through unquoted service paths is a common vulnerability that occurs when a service executable file is installed in a directory path that contains spaces but is not surrounded by quotation marks. When Windows starts a service, it looks for the executable file based on the service's configuration. If the path to the executable contains spaces and is not enclosed in quotation marks, Windows may interpret the path incorrectly. In such cases, Windows will try to locate the executable using a combination of the directory names and filenames in the path, which can result in unintended files being executed.
Here's an example to illustrate this, consider we have the following executable path:
In order to run SomeExecutable.exe, the system will interpret this path in the following order:
C:\Program.exe
C:\Program Files\A.exe
C:\Program Files\A Subfolder\B.exe
C:\Program Files\A Subfolder\B Subfolder\C.exe
C:\Program Files\A Subfolder\B Subfolder\C Subfolder\VulnSvc.exe
Practice
We can use one of following methods to enumerate it:
CMD
PowerShell
PowerUp
Alternatively, we can use Get-UnquotedService
from PowerUp.
Resources
Last updated