Contributor:
John Goodridge
November 20th, 2015

Path of enlightenment part 1

A potential privilege escalation around unquoted service paths has been around for over fifteen years now, but it still continues to catch people out.

The vulnerability takes advantage of the way Windows parses directory paths to execute programs.  Let’s look at the following command line:-

C:\Program Files\Octave Corp\LicenseMgr.exe /verify

Any spaces in paths can be considered as a delimiter between the application, LicenseMgr.exe and the argument, /verify. But when the path also contains spaces in folder names, like Program Files, then Windows has to try and work out if you want to run:-

C:\Program.exe   Files\Octave   Corp\LicenseMgr.exe   /verify

or maybe?

C:\Program Files\Octave.exe   Corp\LicenseMgr.exe   /verify

or perhaps?

C:\Program Files\Octave Corp\LicenseMgr.exe    /verify

So how does Windows know what you are trying to do?  The answer is it doesn’t! Windows instead tries to find the first program in the path that matches and executes it.

Fortunately the humble quotation mark (quote) comes to the rescue! By surrounding parts of the path in quotes, it tells Windows to treat anything within pairs of quotes as a single argument. If we add quotes to the previous example:-

“C:\Program Files\Octave Corp\LicenseMgr.exe” /verify

Windows now understands the command line and will execute the desired program.

On Windows, Services are background processes that can run when Windows starts and often run under a highly privileged account, with the all-powerful SYSTEM security right. Each service specifies the path to the program to run and if the path is not quoted then a nefarious actor could gain privilege escalation by inserting a program at an appropriate location on the vulnerable path.

All vendors that install services on a machine should be aware of the vulnerability and so quote the service path. But you can run this little command line just to check that this is the case :-)

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Now as I said, vendors that install services should ensure their services are not vulnerable by quoting the service path and Microsoft even provides a script to fix vulnerable services.

Here are my recommendations to help mitigate privilege escalation of services.

For software vendors:

  • ALWAYS quote paths for services
  • AVOID installing services in folders that users have full access to
  • DO NOT weaken the default security that Windows has put in place.

For businesses:

  • Ensure all users run as a standard user. The benefits of this include:-
    • Malware running as a standard user cannot drop programs in folders like C:\Program Files or the Windows system folder
    • Services cannot be created that use SYSTEM or other privileged accounts
  • Perform a security audit of services on machines to check for vulnerable paths
  • If you have an application whitelisting solution, ensure trusted owner and publisher is being employed.

More from the Blog

Related technology and security insights

  • 28
    Jun
  • Story related

    NotPetya ransomware: Attack analysis

    On June 27, 2017 a number of organisations across Europe began reporting significant system outages caused by a ransomware strain referred to as Petya. The ransomware is very similar to older Petya ransomware attacks from previous years, but the infection ...