SOLVED

Windows Unquoted Service Path Enumeration - Is this still a case in modern Windows (10, 11) ?

Contributor

Hi Folks, 

 

This could be irrelevant as the issue goes back to few years and Microsoft may have already fixed it but, just wanted verify/confirm. 

Windows Unquoted Path Enumeration vulnerability was identified back in 2013 (or may be even earlier). In simple terms, when a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.

 

Refhttps://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8...

So my question is, is this still a vulnerability in the modern versions of Windows 10,11?  

 

Appreciate any inputs/recommendations!

 

 

2 Replies

Apparently there still seems to be a lot of applications with this vulnerability out there but not necessarily mean that falls under Microsoft?. I'd imagine it simply means that you should update the application as soon as the 3rd party release a fix.

 

i.e. CVE - CVE-2022-27050 (mitre.org) BitComet Service for Windows before version 1.8.6 contains an unquoted service path vulnerability.

 

Ref - https://www.cvedetails.com/vulnerability-list/cweid-428/vulnerabilities.html

best response confirmed by Manoj Karunarathne (Contributor)
Solution
The above response is the latest on this as I could not fetch anything specific to Microsoft on this. this script does a fantastic job on fixing the paths if there's any so if you happen to have this issue, It'd be really handy (hats off to those who contributed to this project!) - https://github.com/VectorBCO/windows-path-enumerate/
www.000webhost.com