How to fix the Windows unquoted service path vulnerability

At times you will find that some applications and/or services are not configured correctly, and when performing a vulnerability scan on your machine you may see a vulnerability listed as “Microsoft Windows Unquoted Service Path”. This can also pop up if you are going for a Cyber Essentials Plus certification.

So what does this vulnerability mean? Its basically when a application or service has been installed, the location of the application or service is saved in the Windows Registry, but if it contains white spaces such as “C:\Program Files\” a malicious attacker who has local access to the machine may be able to gain elevated privileges by inserting/copying a executable file into the affected path.

This may sound worrying or complex to fix, however its relatively easy to resolve, if you have local administrative access to your machine.

There are two steps to resolving this issue, the first one is finding which service/application is affected and the second step is resolving the issue.

Step 1: Finding the affected application/service

Log onto the machine which has had the report of the unquoted service path, then open up a command prompt (run as administrator), then run the command.

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

For some additional context, this command will search for the service name, executable path, display name of the service as well as the services which auto start in all the directories except C:\Windows\ and are already not enclosed within the double quotes.

If you have any affected service paths, the above command will list the name and path of the affected items, allowing you to view which ones you need to fix.  If the command lists nothing, everything should be good or you don’t have sufficient permissions.

Step 2: Fixing

Open up the Registry Editor as an administrator and then navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

Then once there, you will need to look for the application name which was listed above, and double click on the name, to expand the information. Then when expanded, click on the ‘ImagePath’ line on the right side of the panel and edit the path.  You will need to add a quote at the start and end of the path.  For example:

Before:  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

After:  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Once done, exit the registry editor and reboot the machine for the changes to take effect.

 

Note: WMIC support may be removed in a future version of Windows and you will have to use PowerShell instead.  For more information on WMIC you can visit: https://support.microsoft.com/en-us/topic/a-description-of-the-windows-management-instrumentation-wmi-command-line-utility-wmic-exe-f5c16751-3a83-49ee-030d-5092ce1a04bb

Menu
0 Shares
Share via
Copy link
Powered by Social Snap