It's been over a year since this Windows issue has had credentialed checks available in Nessus and it showed up again on a recent test. If you're not aware of the issue http://www.commonexploits.com/unquoted-service-paths/ has a great writeup and is referenced in the associated Nessus plugin (Nessus plugin ID 63155)
In a nutshell this vulnerability is due to some Windows paths for services in the registry not being "enclosed with quotes". Believe it or not but when Windows sees the following: C:\Program Files\Test App\app.exe it tries to run the executable like this:
C:\Program.exe
C:\Program Files\Test.exe
C:\Program Files\Test App\app.exe
On the Common Exploits blog Daniel has given us a handy command to check for vulnerable services:
C:\>wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """
I ran that on a system and got the following results:
CorsairSSDTool CorsairSSDToolBox C:\Program Files\Corsair SSD Toolbox\CSSDT Service.exe Auto
Internet Pass-Through Service PassThru Service C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe Auto
Metasploit has a privilege escalation module to take advantage of this but I couldn't find a simple standalone way of showing a proof of concept for this issue. Taking the easy option and copying cmd.exe to the path fails to execute as it is not a proper Windows service application, we decided to write our own service to demo this!
In a nutshell this vulnerability is due to some Windows paths for services in the registry not being "enclosed with quotes". Believe it or not but when Windows sees the following: C:\Program Files\Test App\app.exe it tries to run the executable like this:
C:\Program.exe
C:\Program Files\Test.exe
C:\Program Files\Test App\app.exe
On the Common Exploits blog Daniel has given us a handy command to check for vulnerable services:
C:\>wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """
I ran that on a system and got the following results:
CorsairSSDTool CorsairSSDToolBox C:\Program Files\Corsair SSD Toolbox\CSSDT Service.exe Auto
Internet Pass-Through Service PassThru Service C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe Auto
Metasploit has a privilege escalation module to take advantage of this but I couldn't find a simple standalone way of showing a proof of concept for this issue. Taking the easy option and copying cmd.exe to the path fails to execute as it is not a proper Windows service application, we decided to write our own service to demo this!
