Unquoted Service Path Privilege Escalation

What is Privilege Escalation?

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. (by Wikipedia)

NOTE: Privilege Escalation is a Post Exploit.

What is Unquoted Service Path? 

Unquoted Service Path is a vulnerability that occurs if a service executable or service binary file path contains space and not enclosed with quotation marks.

How To check these services in the windows . Open CMD and type.

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

privilege-escalation

Here, One service is vulnerable to Unquoted Service Path Privilege Escalation. Let’s check registry for ImagePath key.

privilege2

Here you can clearly see, ImagePath=C:\EFS Software\Easy File Sharing Web Server\fswsService.exe

Services Path Contain Spaces and is not enclosed by quotation.

When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:

Main Service File Locate here.

C:\EFS Software\Easy File Sharing Web Server\fswsService.exe <====Service Exe file

Windows attempt to run services.
C:\EFS.exe               <=== First Attempt
C:\EFS Software\Easy.exe  <=== Second Attempt
C:\EFS Software\Easy File Sharing Web Server\fswsService.exe <===Finally

Why This Happened?

This vulnerability is caused by the CreateProcess function in Windows operating systems. To learn more about CreateProcess click here.

How to exploit this vulnerability?

If we can drop our malicious exe or binary successfully on one of these paths, upon a restart of the service, Windows will run our exe as a SYSTEM. But we should have the necessary privileges on one of these folders.

How to check the Permission of the folder?

In order to check the permissions of a folder, we can use the built-in Windows tool, icals. Let’s check permissions for C:\EFS Software\



C:\Program Files (x86)\Program Folder>icacls "C:\EFS Software\"
icacls "C:\EFS Software\"
C:\EFS Software\ Everyone:(OI)(CI)(F)
 NT SERVICE\TrustedInstaller:(I)(F)
 NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
 NT AUTHORITY\SYSTEM:(I)(F)
 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
 BUILTIN\Administrators:(I)(F)
 BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
 BUILTIN\Users:(I)(RX)
 BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
 CREATOR OWNER:(I)(OI)(CI)(IO)(F)
 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files
C:\Program Files (x86)\Program Folder>

WOWWWWWWWW…… I’m  lucky! As you can see, “Everyone” has full control of this folder.

F = Full Control
CI = Container Inherit – This flag indicates that subordinate containers will inherit this ACE.
OI = Object Inherit – This flag indicates that subordinate files will inherit the ACE.

This means we are free to put any file in this folder!

From now on, what you’re going to do depends on your imagination. I simply preferred to generate a reverse shell payload to run as SYSTEM.

To learn more about Reverse Shall and Bind Shell just read our article.

Leave a Reply