When a service is created whose executable path contains spaces and isn’t enclosed within quotes it leads to a vulnerability known as “Unquoted Service Path”. This allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level, which is default).

Consider we have the following executable path set as a service.

C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe

In order to run SomeExecutable.exe, the system will interpret this path in the following order from 1 to 5.

C:\Program.exe
C:\Program Files\A.exe
C:\Program Files\A Subfolder\B.exe
C:\Program Files\A Subfolder\B Subfolder\C.exe
C:\Program Files\A Subfolder\B Subfolder\C Subfolder\SomeExecutable.exe

Wrapping quotes around the service path will make the .exe path absolute and the above behaviour will cease.

свернуть