A blog about generally interesting infosec stuff by Darren Fuller/Paul Marsh, SecQuest Information Security https://www.secquest.co.uk

Thursday, 16 January 2014

Microsoft Windows Unquoted Service Path Exploit

It's been over a year since this Windows issue has had credentialed checks available in Nessus and it showed up again on a recent test. If you're not aware of the issue http://www.commonexploits.com/unquoted-service-paths/ has a great writeup and is referenced in the associated Nessus plugin (Nessus plugin ID 63155)

In a nutshell this vulnerability is due to some Windows paths for services in the registry not being "enclosed with quotes". Believe it or not but when Windows sees the following: C:\Program Files\Test App\app.exe it tries to run the executable like this:

C:\Program Files\Test.exe
C:\Program Files\Test App\app.exe

On the Common Exploits blog Daniel has given us a handy command to check for vulnerable services:

C:\>wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """

I ran that on a system and got the following results:

CorsairSSDTool  CorsairSSDToolBox  C:\Program Files\Corsair SSD Toolbox\CSSDT Service.exe  Auto
Internet Pass-Through Service  PassThru Service  C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe Auto

Metasploit has a privilege escalation module to take advantage of this but I couldn't find a simple standalone way of showing a proof of concept for this issue.  Taking the easy option and copying cmd.exe to the path fails to execute as it is not a proper Windows service application, we decided to write our own service to demo this!

Introducing SecQuestCMDService.exe!

SecQuestCMDService is a Windows service app that you can copy into the path of the service you want to exploit which will pop up a command shell running with NT Authority\System privileges. It has been tested on Windows XP and Windows 7 and may allow privilege escalation in places where good old exploits like sethc/magnify are blocked by policy.

Getting this working took a bit of trial and error starting with the old favourite of using "AT" which we soon worked out isn't allowed to run interactively on Windows 7. Running cmd.exe directly worked; you can see it in task manager but you can't see the Window as the initial service isn't marked as interactive and so on!

The way we finally got this program to work is that the initial service uses "sc" to create a new service, sqcmdsvc, which it then tries to start. The sqcmdsvc is created as an interactive service which then allows it to load cmd.exe which can now be seen.

It's essentially a simple app which handles service start/stop commands and calls cmd.exe a few times to get a service installed/started. You can do this manually if you have admin permissions on the box (adding the description is purely cosmetic!):

 sc create SQCMDSVC Displayname= "SecQuest Command Service" binpath= "cmd.exe /K start" type= own type= interact > nul 2>&1
 sc description SQCMDSVC "Helping you p0wn your Windows!"
 sc start SQCMDSVC

You'll probably find that getting the executable on to locked down boxes is going to be a challenge, most will need administrator privileges to be able to copy files in to C:\Program Files\* - mounting the hard drive may be the way to go if it's not encrypted.

OK demo time, lets exploit the Corsair SSD service on XP:

Firstly copy the SecQuestCMDService exe to C:\Program Files and rename it to Corsair.exe

Bounce the "CorsairSSDTool" service, wait a couple of seconds and you've got a shell!

Similarly on Windows 7 we can exploit HTC's internet pass through service..

This time we'll copy the SecQuestCMDService exe to C:\Program Files\HTC and call it Internet.exe. What happens after bouncing the service is a bit different on Windows 7.. firstly you may notice a message saying that a service is trying to get interactive (it usually sits there flashing in the taskbar until you click it):

Clicking on "View the message" gives a system level cmd.exe in a separate desktop session :o)

If you check in Windows services you'll see that a new service, "SecQuest Command Service", is installed.. that can be manually started as well in-case you need to use the command shell again. For some reason sometimes the command prompt isn't displayed the first time the vulnerable service is run although the sqcmdsvc is installed, starting sqcmdsvc manually should give a shell as expected.

To clean up, from a command prompt, type: sc delete sqcmdsvc -> Top Tip: if you've got the services window up still the service won't be deleted until you close it.

The app can be downloaded from our downloads section: https://secquest.co.uk/downloads.sq

The relevant vendors referenced in this post have been informed and we'll update it if we get any feedback. These guys aren't the only ones, there are 100's of other vulnerable services out there just waiting to be found!

Have fun!

* All trademarks and registered trademarks are the property of their respective owners.

1 comment:

  1. https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341