As a cybersecurity professional, it’s essential to understand and address potential security threats that may exist within an organization. One such threat is unquoted service paths. In this article, we’ll explore what unquoted service paths are, why they pose a security threat, and how to detect them. I’ll also provide sample scripts in PowerShell and Python to remotely query and detect unquoted service paths of remote servers in an organization.
What are Unquoted Service Paths?
In Windows operating systems, services are programs that run in the background and provide specific functions to the operating system or applications. A service path is the location where the service executable file is stored. An unquoted service path is a service path that contains spaces but is not enclosed in quotation marks. For example, an unquoted service path might look like this:
C:\Program Files\Some Folder\Some Service.exeIn this example, the service path contains spaces, but it is not enclosed in quotation marks. This can create a security vulnerability that attackers can exploit.
Why do Unquoted Service Paths Pose a Security Threat?
An unquoted service path can be a security threat because it can allow an attacker to execute arbitrary code with elevated privileges. This occurs because the Windows operating system interprets the unquoted service path as two separate elements: the path to the executable file and the command-line arguments.
An attacker can create a malicious executable file in a path that mimics an unquoted service path. When the operating system tries to start the service, it will execute the malicious executable instead.
For example, an attacker could create a malicious executable file at the following path:
C:\Program.exeIf there is a service with an unquoted service path of:
C:\Program Files\Some Folder\Some Service.exeThe operating system will interpret the service path as:
C:\Program.exe Files\Some Folder\Some Service.exeand execute the malicious executable, which can lead to unauthorized access, data theft, or other malicious actions.
The attacker can now restart the “Some Service”, which will trigger the execution of the malicious executable as the service starts up. Since the service path is unquoted, the operating system will interpret the space in the path as a command-line argument, resulting in the execution of the malicious executable. The execution will take place with the same privilege level used to run the service.
If the service is running as “SYSTEM”, the attacker can perform his actions with SYSTEM privileges on the system.
The malicious executable can also contain code to gain elevated privileges, such as creating a new user account or adding the pentester’s user account to the local “Administrators” group.
How to Detect Unquoted Service Paths
Penetration testers and blue teams can detect unquoted service paths by performing a scan of the organization’s systems. There are several ways to detect unquoted service paths, including using PowerShell or Python scripts. Here are some sample scripts to remotely query and detect unquoted service paths of remote servers in an organization.
PowerShell Script
The following PowerShell script will remotely query a list of servers and return any unquoted service paths found:
$computers = Get-Content -Path C:\Computers.txt
foreach ($computer in $computers) {
Get-WmiObject -Class Win32_Service -ComputerName $computer |
Where-Object {$_.PathName -notlike '""' -and $_.PathName -like '\ **'} |
Select-Object Name, DisplayName, PathName, StartMode
}The script reads a list of servers from a file named Computers.txt and uses the Get-WmiObject cmdlet to query each server’s Win32_Service class. The script then filters the results to include only services with unquoted service paths.
Python Script
The following Python script will remotely query a list of servers and return any unquoted service paths found:
import wmi
computers = open('C:\Computers.txt', 'r').read().splitlines()
for computer in computers:
conn = wmi.WMI(computer)
for service in conn.Win32_Service():
if ' ' in service.PathName and not service.PathName.startswith('"'):
print(f"Name: {service.Name}\nDisplay Name: {service.DisplayName}\nPath: {service.PathName}\nStart Mode: {service.StartMode}\
The Python script uses the wmi module to connect to each server and query the Win32_Service class. The script then filters the results to include only services with unquoted service paths.
Conclusion
Unquoted service paths can pose a significant security threat to an organization, as they can allow attackers to execute arbitrary code with elevated privileges. Penetration testers and blue teams can detect unquoted service paths by performing a scan of the organization’s systems using PowerShell or Python scripts. By understanding and addressing this potential security vulnerability, organizations can reduce the risk of unauthorized access, data theft, or other malicious actions.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
