Wednesday 7 June 2017

How to fix unquoted service path vulnerabilities?

Or, Unquoted service path vulnerability
Or, Mitigate unquoted service path vulnerabilities

Descriptions: Unquoted service path vulnerabilities are rated as highly critical vulnerability in windows. Don’t worry it is really very easy to fix.

If you have the vulnerability scan report with you, the report contains following information about this reported vulnerability:

Vulnerability Name: Microsoft Windows Unquoted Service Path Enumeration

Vulnerability Synopsis: The remote Windows host has at least one service installed that uses an unquoted service path.

Vulnerability Description: The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.  Note that this is a generic test that will flag any application affected by the described vulnerability.

Vulnerability Solution: Ensure that any services that contain a space in the path enclose the path in quotes.

IMP Note: There are two stages to fix this vulnerabilities, 1. finding the unquoted path on the affected server and 2. Fixing the unquoted paths.

Steps-1: How to find the unquoted service paths
Login to affected server with administrative privileges > run CMD as Administrator > run the following command:

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Once the command is executed successfully, you will be able to see one or more unquoted service paths. Result may look like the below reference screenshot:




Copy all the result to a text or excel file and move to the step-2.


Steps-2: Fixing unquoted service path vulnerabilities 
Search for the unquoted registry entry of the affected service under HKLM\System\CurrentControlSet\Services registry path > Double Click the Image Path key > fix comma like “servicepath” at the beginning and end of the path

Examples:
Unquoted service path: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Quoted service path: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"

The correct quoted service path image reference:












Cheers, Please write me back if you have any query or feedback..

25 comments:

  1. It works, Thank you!!

    ReplyDelete
  2. Feedback: in my case it was an Intel Audio service which was located in C:\windows so your cmd didn't find it. I found this to be better (filters out svchost.exe services but will find other systemroot locations)

    wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "svchost.exe" |findstr /i /v """

    ReplyDelete
    Replies
    1. Hi, Thanks a lot for your feedback and contribution. This will surely help other readers.

      Happy Learning!

      Delete
    2. @SB the paths found by your command did not have whitespaces. If this is the case, I'd assume they're safe without quotes?

      Delete
    3. Your contributed is working. Thanks!, and I also thank to techiessphere.com

      Delete
  3. Hi Techies Sphere, Thank you so much, this worked for me and able to remediate few services alerted with "Unquoted service path" vulnerabilities. All is well.

    Just to check, i'm also looking for solution for "Default SMB Credentials" most my windows machines alerted with. still can't find right steps to remediate it. Do you have any idea? appreciated really.

    ReplyDelete
    Replies
    1. Hi, Thanks for writing back.

      See if the below KB helps:

      https://www.techiessphere.com/2017/03/disable-smbv1-on-multiple-computers.html

      Thanks

      Delete
  4. Windows Speculative Execution Configuration Check- how to fix this?

    ReplyDelete
    Replies
    1. Hi,

      Thanks for writing back.

      Could you please provide more detail about the issue you want to fix?

      Thanks

      Delete
  5. Windows Speculative Execution Configuration Check - how to fix this vulnerability on windows machines

    ReplyDelete
    Replies
    1. Hi,

      Thanks for writing back.

      Could you please provide more detail about the issue you want to fix?

      Thanks

      Delete
  6. hi
    my path is %ProgramFiles%\Windows Identity foundation\V3.5\c2wtshost.exe
    so all i need is add the two quote front and back like "%ProgramFiles%\Windows Identity foundation\V3.5\c2wtshost.exe"

    ReplyDelete
  7. Thank you for this!

    ReplyDelete
  8. Amazing! Thank you!

    ReplyDelete
  9. does this require reboot /restart after quoted ..Kindly confirm

    ReplyDelete
    Replies
    1. The system would not enforce to restart/reboot after making the changes, but its recommended to restart the system to ensure the changes take affect.

      Delete
  10. Is there a way to do this via editing the registry via a batch file?

    ReplyDelete
  11. Hi editing the path with quote is causing app to crash. Any solution or help?

    ReplyDelete
    Replies
    1. issues could be specific to the applications how they behave once you modify certain registry.

      Delete
  12. Hello Sir
    I need for apply the below vulnerability to Windows 10 any solution or help? thank you.

    Microsoft Windows Unquoted Service Path Enumeration port 445 vulnerability

    ReplyDelete
  13. May I just add one more "thank you" to the list? Thank you!!!

    ReplyDelete