Hello everyone, in this post we will be discussing and demonstrating the dangers of unquoted service image path strings. If you don't know what that is that's ok we will get into some background.
First things first in Windows we have special programs called services. These programs are typically .EXE applications with special code that allows them to run outside of the interactive desktop. Services can run as any account that has the "Allow Run As Service" permission or in a lot of cases the SYSTEM account. This account has the most access of any account on a Windows system. You can see all of the services on your computer by typing services.msc from the run dialog box. Now all services information is stored in the registry under the following registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Under this key we have a registry key and values under each of these that represent drivers (we don't care about these) and the service executables.
The particular value we are most interested in is the ImagePath value which contains the path to the executable service.
Now to the problem.
If this this image path contains spaces leading up to the file extension ".exe" the behavior of Windows is to try to append .exe to every word prior to a space in the path since it doesn't really handle spaces well. The danger lies in the fact that if a malicious actor was able to drop a service in that path it would execute instead of the real service. This would allow the malicious actor to run just able anything.
If this part is confusing here is an example of an unquoted service image path and how Windows tries to execute it. The Google Update service I purposely unquoted it.
The Google Update service has a space in the path after C:\Program. The resulting execution by Windows will be as follows.
You can see Windows tried to run Program.exe but could not find it.
Here I've written a very basic service in C# that will spawn a cmd process and write to a text file.
I've renamed the service and dropped in one of the locations Windows tries to launch from
Now when the Google Update process starts we see Program.exe ran instead.
Some other indicators
and we see it wrote the file like it was supposed to.
First things first in Windows we have special programs called services. These programs are typically .EXE applications with special code that allows them to run outside of the interactive desktop. Services can run as any account that has the "Allow Run As Service" permission or in a lot of cases the SYSTEM account. This account has the most access of any account on a Windows system. You can see all of the services on your computer by typing services.msc from the run dialog box. Now all services information is stored in the registry under the following registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Under this key we have a registry key and values under each of these that represent drivers (we don't care about these) and the service executables.
The particular value we are most interested in is the ImagePath value which contains the path to the executable service.
Now to the problem.
If this this image path contains spaces leading up to the file extension ".exe" the behavior of Windows is to try to append .exe to every word prior to a space in the path since it doesn't really handle spaces well. The danger lies in the fact that if a malicious actor was able to drop a service in that path it would execute instead of the real service. This would allow the malicious actor to run just able anything.
If this part is confusing here is an example of an unquoted service image path and how Windows tries to execute it. The Google Update service I purposely unquoted it.
The Google Update service has a space in the path after C:\Program. The resulting execution by Windows will be as follows.
You can see Windows tried to run Program.exe but could not find it.
Here I've written a very basic service in C# that will spawn a cmd process and write to a text file.
I've renamed the service and dropped in one of the locations Windows tries to launch from
Now when the Google Update process starts we see Program.exe ran instead.
Some other indicators
and we see it wrote the file like it was supposed to.
