-
Notifications
You must be signed in to change notification settings - Fork 0
Microsoft Windows Unquoted Service Path Enumeration
The Microsoft Windows unquoted service path enumeration vulnerability arises when system services are installed with executable paths that are not enclosed in quotation marks. This flaw can be exploited by attackers to execute arbitrary code with elevated privileges if they can place a malicious executable on the path of the affected service.
- Severity: High
If exploited, this vulnerability can lead to unauthorized privilege escalation on the affected system. Attackers could potentially gain administrative access, allowing them to install programs, view, change or delete data or create new accounts with full user rights. This poses a significant risk to organizational security and can compromise the integrity and availability of critical systems.
This vulnerability is caused by improper path handling during service installation. If a service path is specified without quotes and contains spaces, Windows may attempt to execute any executable present in a path substring. For example, if the path is C:\Program Files\My App\service.exe, Windows might attempt to execute C:\Program.exe if present.
To mitigate this vulnerability, you should ensure that all service paths are correctly quoted.
- Open the Registry Editor (regedit.exe).
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
- Browse through the subkeys and check the ImagePath for each service
- If the path is unquoted and contains spaces, modify it by adding quotation marks around the full path.
Use a PowerShell script to automatically identify and correct unquoted service paths across the system:
Get-WmiObject Win32_Service |
Where-Object {$_.PathName -like '*\* *' -and $_.PathName -notlike '"*"*'} |
ForEach-Object {
$path = '"' + $_.PathName + '"'
Set-ItemProperty -Path ("HKLM:\SYSTEM\CurrentControlSet\Services\" + $_.Name) -Name 'ImagePath' -Value $path
Write-Output "Corrected path for service: $($_.DisplayName)"
}- Regularly audit service installation scripts and deployment procedures to ensure paths are correctly quoted.
- Employ application whitelisting to restrict which executables can run, minimizing the risk from this vulnerability.
N/A
- InfoSec Governance LTD - How to fix the Windows unquoted service path vulnerability
- Tenable - Microsoft Windows Unquoted Service Path Enumeration
N/A
- Home - Return to this main page.
- Explore detailed vulnerability categories and entries via the sidebar.
- Microsoft Teams < 1.6.0.11166 Information Disclosure↗
- Microsoft Teams < 1.6.0.18681 RCE↗
- Microsoft Windows Unquoted Service Path Enumeration↗
- Microsoft XML Parser (MSXML) and XML Core Services Unsupported↗
- Security Updates for Microsoft .NET Framework↗
- Security Updates for Microsoft Office Products C2R↗
- Security Updates for Microsoft SQL Server↗
- Windows Defender Antimalware/Antivirus Signature Definition Check↗
- Windows Speculative Execution Configuration Check↗
- WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation↗
- SSL Certificate Cannot Be Trusted↗
- SSL Certificate Chain Contains RSA Keys Less Than 2048 bits↗
- SSL Certificate with Wrong Hostname↗
- SSL Medium Strength Cipher Suites Supported (SWEET32)↗
- SSL Self-Signed Certificate↗
- SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)↗
- TLS Version 1.0 Protocol Detection↗
- TLS Version 1.1 Protocol Deprecated↗
- Apache 2.4.x < 2.4.58 Multiple Vulnerabilities↗
- Apache Log4j Vulnerabilities↗
- Apache Solr Unauthenticated Access Information Disclosure↗
- Apache Struts Vulnerabilities↗
- Apache Tomcat Vulnerabilities↗
- Amazon Corretto Java 11.x < 11.0.19.7.1 Multiple Vulnerabilities↗
- OpenJDK Vulnerabilities↗
- Oracle Java SE Vulnerabilities↗
- 7-Zip < 23.00 Multiple Vulnerabilities↗
- Adobe Acrobat Vulnerabilities↗
- AMQP Cleartext Authentication↗
- Artifex Ghostscript < 10.2.1 DoS↗
- Chargen UDP Service Remote DoS↗
- Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)↗
- Echo Service Detection↗
- HSTS Missing From HTTPS Server (RFC 6797)↗
- HTTP TRACE / TRACK Methods Allowed↗
- Insecure Windows Service Permissions↗
- Keepass < 2.54 Information disclosure↗
- Notepad++ < 8.5.7 Multiple Buffer Overflow Vulnerabilities↗
- Quote of the Day (QOTD) Service Detection↗
- VMware Tools 10.3.x / 11.x / 12.x < 12.3.5 Token Bypass↗
- X Server Detection↗
- Template -> Use this template for new vulnerabilities