Unquoted service path

Given a particular service that is configured to call an executable at an unquoted path, it can be exploited to trick the service into running a different exectuable - controlled by us.

Lets compare two services:

quoted_path_exec
unquoted_path_exec

quoted_path_exec

C:\> sc qc quoted_path_exec
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: quoted_path_exec
        TYPE               : ...
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\quoted\path\exec.exe
        ...

unquoted_path_exec

C:\> sc qc unquoted_path_exec
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: unquoted_path_exec
        TYPE               : ...
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\rand_path\unquoted path\exec.exe
        ...

Notice that there is a space in the executable path. This makes it ambiguous, as there are 2 possible path that the service will look for the binary:

C:\rand_path\unquoted, with path\exec.exe as the argument
C:\rand_path\unquoted path\exec.exe (expected)

Assuming that we have permission to create a file in the C:\rand_path directory (check using the icacls command). We can create a payload with msfvenom, and move it to the directory to trick the service to call our executable instead.

PreviousInsecure permissions on service executable NextInsecure service permission

Last updated 5 months ago