If you’re using a vulnerability scanner on your PC or network, you’ve probably come across the Microsoft Windows Unquoted Service Path Enumeration vulnerability. The truth is, this vulnerability has been around for many years and Microsoft hasn’t done much to address it. Instead, they’ve left it up to the individual developers to fix their programs and include quotes around their service paths when creating the registry keys.
The Microsoft Windows Unquoted Service Path Enumeration Vulnerability
All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first. This affects all versions of Windows and any Operating System that supports spaces in file names.
Essentially, if you have an unquoted service path with a space in it, that service is vulnerable to attack. If an attacker has access to a folder in the directory path, it is possible for privilege escalation to take place by inserting a malicious program in the parent path before the whitespace.
Disclaimer: Remember to check your results! I cannot be liable for any damage caused by running these scripts. It’s your environment and you ran them.
I’ve seen a few scripts floating around to resolve this vulnerability. Some can be run on individual systems and others are Powershell scripts that can be run across a network. I would recommend starting small and thoroughly test your results.
Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability
The first step you can do on a PC is run this command from an elevated command prompt. This will scan your registry and display all of the service paths that need remediation.
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows\" |findstr /i /v """
Alternate Powershell version:
cmd /c 'wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows\" |findstr /i /v """'
There’s a nifty Powershelly script over at VectorBCO’s GitHub Project.
Before running the Powershell script, you might need to set your ExecutionPolicy to Unrestricted if you haven’t already. To do that, run this command in Powershell and select Y:
Depending on how you manage your servers, you should have a few options to deploy this Powershell script to multiple systems. Not every server will have this vulnerability unless the same affected software is installed on every server.
The script doesn’t seem to work.
PS C:\Scripts> C:\Scripts\FixServicePath.PS1
At C:\Scripts\FixServicePath.PS1:15 char:43
+ $NewPath = ($ImagePath -split “.exe “) $key = ($ImagePath -split “.exe “) …
Unexpected token ‘$key’ in expression or statement.
At C:\Scripts\FixServicePath.PS1:15 char:81
+ … it “.exe “) $triger = ($ImagePath -split “.exe “)
Unexpected token ‘$triger’ in expression or statement.
+ CategoryInfo : ParserError: (:) , ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
That is the error I get when I try to run it even after setting the execution policy to unsigned.
I think if you go to line 15, seperate those tokens.. i.e.
$NewPath = ($ImagePath -split “.exe “)
$key = ($ImagePath -split “.exe “)
$triger = ($ImagePath -split “.exe “)
Next error I think you will need to fix is line 10 to fix the registry path and add the missing “\”
im still having issues, but at least got past those two
on technet script was updated few times, so please use original link.
after remediating using the ps1 script, i used the wmic bat file to check if the fix worked. I noticed that instead of quotes surrounding the ImagePath string, it sets up %xxxx% instead of C:\xxxxx. Is that still acceptable?
Calvin, you can address your question on GitHub
But please clarify your question or better put part of the log file that reffered to your question
Project moved to github, so please use this link to get latest supported release https://github.com/VectorBCO/windows-path-enumerate/
Link to GitHub project also placed on original page technet page
Thank you Victor! I’ve removed the script from this page and changed the link from Technet to Github.