Skip to content

Unquoted Service Paths Vulnerability

Unquoted service paths vulnerability occurs when a service is created with an executable path containing spaces and isn't enclosed within quotes. This vulnerability can be exploited by attackers to gain elevated privileges on the system. Here's how to identify and mitigate unquoted service paths vulnerability:

1. Identification

Using WMIC Command

  • Execute the following WMIC command to identify services with unquoted executable paths: 
    wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\" | findstr /i /v """
  • This command lists services set to start automatically (startmode is "auto") and filters out services whose paths include "c:\windows\" or are enclosed in quotes.

Vulnerable Service Example

  • Example: Unquoted Service Path
  • The screenshot illustrates an example of a vulnerable service "Sandboxie-Plus v0.7.4" with an unquoted service path.

2. Risk Assessment

Folder Permissions

  • After identifying vulnerable services, assess folder permissions associated with the service executable path.
  • If low-privileged users have writeable access to the folder containing the executable, privilege escalation may be possible.

3. Mitigation Strategies

Enclose Paths in Quotes

  • Enclose service paths containing spaces within quotes during service creation to prevent potential exploitation of unquoted service paths vulnerability.

Fix Permissions

  • Review and adjust folder permissions associated with vulnerable service executable paths to restrict write access to low-privileged users.