A blog about generally interesting infosec stuff by employees of SecQuest Information Security https://www.secquest.co.uk

Thursday, 16 January 2014

Microsoft Windows Unquoted Service Path Exploit

It's been over a year since this Windows issue has had credentialed checks available in Nessus and it showed up again on a recent test. If you're not aware of the issue http://www.commonexploits.com/unquoted-service-paths/ has a great writeup and is referenced in the associated Nessus plugin (Nessus plugin ID 63155)

In a nutshell this vulnerability is due to some Windows paths for services in the registry not being "enclosed with quotes". Believe it or not but when Windows sees the following: C:\Program Files\Test App\app.exe it tries to run the executable like this:

C:\Program Files\Test.exe
C:\Program Files\Test App\app.exe

On the Common Exploits blog Daniel has given us a handy command to check for vulnerable services:

C:\>wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """

I ran that on a system and got the following results:

CorsairSSDTool  CorsairSSDToolBox  C:\Program Files\Corsair SSD Toolbox\CSSDT Service.exe  Auto
Internet Pass-Through Service  PassThru Service  C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe Auto

Metasploit has a privilege escalation module to take advantage of this but I couldn't find a simple standalone way of showing a proof of concept for this issue.  Taking the easy option and copying cmd.exe to the path fails to execute as it is not a proper Windows service application, we decided to write our own service to demo this!