Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Unquoted Service Paths

February 1, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This is a vulnerability that manifests itself whenever the path to the executable used for a service is not surrounded by quotes.

This can be exploited to execute an arbitrary binary when the vulnerable service starts, which could allow to escalate privileges to SYSTEM

The way to exploit this vulnerability is to place a malicious executable somewhere in the service path, and name it in a way that starts with the first few letters of the next directory in the service path. When the service starts, it will then execute the evil binary and grant remote SYSTEM access.

The Attack

For example, if the path to a service is the following: C:\Program Files (x86)\Stefs Program\bin\Stef.exe, this could be exploited by placing a binary as follows:

  • C:\Program.exe
  • C:\Program Files (x86)\Stefs.exe
  • C:\Program Files (x86)\Stefs Program\bin\Stef.exe

Identifying Unquoted Service Paths

In order to identify unquoted service paths when performing enumeration steps, the following command can be used:

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

The “Stefs Service” service seems to be vulnerable. Let’s break it down:

  • wmic is used to gather service information, in this case the name, path name, display name and start mode(whether it start at system startup)
  • findstr is used to only display the services that start at system startup
  • findstr is used again to do a reverse search on C:\Windows\\ to ignore services located in this folder
  • findstr is used again to do a reverse search for the ” character, therefore only displaying services having service paths without quotes

It can also be found using the Registry Editor, with the following path:

HKLM\SYSTEM\CurrentControlSet\Services\Servicename

Automated scripts such as WinPEAS will also be able to identify them:

Writing the Malicious Binary

The next step is to add the malicious executable that will effectively replace the service executable when it starts. In order for this to work, the current user requires write access to the service path.

This can be checked using the icacls Windows utility, which is used to display and modify the security descriptors on folders and files.

icalcs "C:\Program Files (x86)\Stefs Program"

It appears that all users have full control over this directory.

NOTE: The main icacls permissions are as follows:

  • F – Full access
  • M– Modify access
  • RX – Read and execute access
  • R – Read-only access
  • W – Write-only access

Whereas these are used for file/folder inheritance:

  • (OI) – Object inherit
  • (CI) – Container inherit
  • (IO) – Inherit only
  • (NP) – Do not propagate inherit

MSFvenom can be used to generate a reverse shell with the following flags:

  • -p to specify the payload type, in this case the Windows reverse TCP shell
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to
  • -f to specify the format, in this case exe

Transferring the shell.exe file to the Windows victim machine using the Python web server and the Windows Certutil utility, placing it in the “C:\Program Files (x86)\” folder and calling it “Stefs.exe”:

Executing the Malicious Binary

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

The service can then be started with the following command:

sc start "Service Name"

This has granted a SYSTEM shell

Access to start or stop services is often denied, especially for normal users

The solution to this problem, if the service is set up to start at boot, is to restart the machine. The following command can be used to verify whether the current user has access to do so:

whoami /priv

It looks like the current user has access to restart the machine. The following command can be used to reboot the box:

shutdown /r /t 0

Once the machine has finished restarting, because the service has been setup to start at boot, a reverse shell was immediately received

Metasploit Exploitation

This vulnerability can also be exploited using the exploit/windows/local/trusted_service_path Metasploit module. Once a Meterpreter session has been obtained, this module can be used to escalate privileges to SYSTEM.

The PowerSploit Get-ServiceUnquoted and Write-ServiceBinary modules can also be used to exploit unquoted service paths. The Get-ServiceUnquoted module allows to find vulnerable services whereas the Write-ServiceBinary binary is used to create the malicious executable.

Conclusion

Unquoted service paths has been one of the main Windows vulnerabilities for a long time, and it has affected a great amount of software, including products from very reputable and large vendors. In fact, Windows 0day vulnerabilities are very often unquoted service paths.