Unquoted Service Paths: A Privilege Escalation Vector

In the realm of cybersecurity and penetration testing, understanding how to escalate privileges on a compromised system is crucial. One common and often overlooked vulnerability lies in Unquoted Service Paths. This technique exploits how Windows handles service executable paths that contain spaces and are not enclosed in quotation marks.

What is an Unquoted Service Path?

Windows services are often configured with an executable path. When this path contains spaces, Windows attempts to interpret each part of the path separated by a space as a potential executable. If the service executable is not properly quoted, an attacker can place a malicious executable in one of the directories that Windows might try to execute, leading to privilege escalation.

Identifying Unquoted Service Paths

The first step in exploiting this vulnerability is to identify services with unquoted paths. This can be done manually by inspecting service configurations or, more efficiently, using automated tools.

Automated tools like WinPEAS (Windows Privilege Escalation Awesome Script) or PowerSploit's Find-UnquotedService function are invaluable for quickly scanning a system. These scripts enumerate all installed services and check their executable paths for spaces that are not enclosed in quotation marks. They often highlight potential candidates for exploitation, saving significant manual effort. The output typically lists the service name, its current user context, and the unquoted path, along with any potential executables Windows might try to run.

📚

Text-based content

Library pages focus on text content

Exploitation Steps

Once an unquoted service path is identified, the exploitation process generally involves these steps:

Loading diagram...

Detailed Exploitation Walkthrough

Identify the Vulnerable Service: Use tools like WinPEAS or PowerSploit to find services with unquoted paths. Pay attention to services running with SYSTEM or Administrator privileges.
Analyze the Path: Examine the service's executable path. For example, C:\Program Files\My App\MyService.exe is vulnerable.
Determine Target Executable: Windows will attempt to execute executables in the path based on space delimiters. In the example above, it might try C:\Program.exe, C:\Program Files.exe, or C:\Program Files\My.exe.
Place Malicious Payload: Create a malicious executable (e.g., a reverse shell, a credential dumping tool) and name it one of the potential executables Windows might try to run. Place this malicious executable in a directory that Windows will check and that the attacker has write permissions to, ideally a directory that is searched earlier in the path resolution. For instance, placing Program.exe in C:\ could be effective.
Trigger the Service: The service needs to be started for the exploit to work. This can be done manually by an administrator, or if the service is set to start automatically, it will run on system boot or when the SCM decides to start it.
Achieve Privilege Escalation: If successful, the malicious executable will run with the privileges of the service (often SYSTEM), granting the attacker elevated access.

The key to success is placing your malicious executable in a location that Windows will attempt to execute before the intended service executable, and ensuring your executable has the necessary permissions to be executed by the service's account.

Mitigation Strategies

Preventing this vulnerability is straightforward and involves proper service configuration:

Vulnerability	Mitigation
Unquoted Service Paths	Always enclose service executable paths containing spaces in double quotation marks (e.g., `"C:\Program Files\My Application\MyService.exe"`).
Directory Permissions	Ensure that directories in the system's PATH environment variable, especially those that might be part of a service path, do not allow write access to low-privileged users.
Regular Auditing	Periodically audit service configurations to identify and correct any instances of unquoted paths.

By adhering to these best practices, administrators can significantly reduce the attack surface and prevent privilege escalation through unquoted service paths.

Learning Resources

Unquoted Service Path Privilege Escalation - HackTricks(documentation)

A comprehensive guide on understanding and exploiting unquoted service paths, including practical examples and tools.

Windows Privilege Escalation: Unquoted Service Paths - Red Team Notes(blog)

A detailed blog post explaining the concept, how to find vulnerable services, and a step-by-step exploitation walkthrough.

Exploiting Unquoted Service Paths - Offensive Security(tutorial)

An official tutorial from Offensive Security that delves into the mechanics of unquoted service path vulnerabilities and their exploitation.

WinPEAS - Privilege Escalation Awesome Script(documentation)

The go-to script for Windows privilege escalation enumeration, including detection of unquoted service paths.

PowerSploit - FindUnquotedService Function(documentation)

A PowerShell script from the PowerSploit framework specifically designed to find services with unquoted paths.

Unquoted Service Path Vulnerability Explained - Cyberspace(blog)

Explains the vulnerability, how it works, and provides a practical demonstration of exploitation.

Windows Service Exploitation - Unquoted Paths - Pentest Academy(blog)

A technical breakdown of how unquoted service paths can be exploited for privilege escalation.

Privilege Escalation: Unquoted Service Paths - Null Byte(tutorial)

A tutorial from Null Byte demonstrating how to find and exploit unquoted service paths on Windows systems.

Windows Privilege Escalation Techniques - Unquoted Service Paths(documentation)

A detailed explanation of the vulnerability and its exploitation within the context of broader Windows privilege escalation.

Understanding Windows Service Paths and Exploitation(blog)

A blog post from SANS Institute discussing the nuances of Windows service paths and how they can be exploited.