Thick Client Security - Windows Unquoted Search Path

If the path to the service binary is not enclosed in quotes and contains white spaces, As a result, a local user will be able to elevate the privilege to administrator privilege shell by placing an executable in a higher level directory within the path.

Steps to test:

Step 1: The way to exploit this vulnerability is to place a malicious executable somewhere in the service path, and name it in a way that starts with the first few letters of the next directory in the service path. When the service starts, it will then execute the evil binary and grant remote SYSTEM access.

Identify all the unquoted windows services used by target application by using below command.

cmd /c wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””

Note: Above command won’t scan the path “C:\Windows” because this path needs admin privilege to perform any operation and all services under this path are without white spaces.

Remediation: Double quote the windows service path using registry editor.

!! Happy Learning !!