Good Evening

Windows Privilege Escalation - Exploiting Unquoted Service Path Vulnerability


Unquoted service path vulnerability arises, when a service is created whose executable contain spaces and doesn't enclosed within quotes. If a low privilege user can write to the location along unquoted service path, they could exploit the vulnerability.

When system boots, it auto starts some of its services in following order for unquoted services.

C:\Program Files\A Subfolder\B Subfolder\C Subfolder\AnyExecutable.exe

In order to run AnyExecutable.exe, the windows system will interpret this path in the following order:

  1. C:\Program.exe

  2. C:\Program Files\A.exe

  3. C:\Program Files\A Subfolder\B.exe

  4. C:\Program Files\A Subfolder\B Subfolder\C.exe

  5. C:\Program Files\A Subfolder\B Subfolder\C Subfolder\AnyExecutable.exe

Identifying the Vulnerability

To identify the vulnerability i have came across two methods:

Method 1

Using wmic (Windows Management Instrumentation Command-line).

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """