Or, Unquoted service
path vulnerability
Or, Mitigate unquoted
service path vulnerabilities
Descriptions: Unquoted
service path vulnerabilities are rated as highly critical vulnerability in
windows. Don’t worry it is really very easy to fix.
If you have the vulnerability scan report with you, the
report contains following information about this reported vulnerability:
Vulnerability Name:
Microsoft Windows Unquoted Service Path Enumeration
Vulnerability Synopsis:
The remote Windows host has at least one service installed that uses an
unquoted service path.
Vulnerability Description:
The remote Windows host has at least one service installed that uses an
unquoted service path, which contains at least one whitespace. A local attacker
can gain elevated privileges by inserting an executable file in the path of the
affected service. Note that this is a
generic test that will flag any application affected by the described
vulnerability.
Vulnerability Solution:
Ensure that any services that contain a space in the path enclose the path in
quotes.
IMP Note: There are two stages to fix this vulnerabilities, 1. finding the unquoted path on the
affected server and 2. Fixing the
unquoted paths.
Steps-1: How to find the unquoted service paths
Login to affected server with administrative privileges >
run CMD as Administrator > run the following command:
wmic
service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Once the command is executed successfully, you will be able
to see one or more unquoted service paths. Result may look like the below
reference screenshot:
Copy all the result to a text or excel file and move to the
step-2.
Steps-2: Fixing
unquoted service path vulnerabilities
Search for the unquoted
registry entry of the affected service under HKLM\System\CurrentControlSet\Services registry path > Double
Click the Image Path key > fix comma
like “servicepath” at the beginning and end of the path
Examples:
Unquoted service path: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Quoted service path: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
The correct quoted service path image reference:
Cheers, Please write me back if you have any query or
feedback..
thanks!
ReplyDeleteYOU ROCK
ReplyDeleteIt works, Thank you!!
ReplyDeleteFeedback: in my case it was an Intel Audio service which was located in C:\windows so your cmd didn't find it. I found this to be better (filters out svchost.exe services but will find other systemroot locations)
ReplyDeletewmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "svchost.exe" |findstr /i /v """
Hi, Thanks a lot for your feedback and contribution. This will surely help other readers.
DeleteHappy Learning!
@SB the paths found by your command did not have whitespaces. If this is the case, I'd assume they're safe without quotes?
DeleteYour contributed is working. Thanks!, and I also thank to techiessphere.com
DeleteThank you :)
ReplyDeleteHi Techies Sphere, Thank you so much, this worked for me and able to remediate few services alerted with "Unquoted service path" vulnerabilities. All is well.
ReplyDeleteJust to check, i'm also looking for solution for "Default SMB Credentials" most my windows machines alerted with. still can't find right steps to remediate it. Do you have any idea? appreciated really.
Hi, Thanks for writing back.
DeleteSee if the below KB helps:
https://www.techiessphere.com/2017/03/disable-smbv1-on-multiple-computers.html
Thanks
Windows Speculative Execution Configuration Check- how to fix this?
ReplyDeleteHi,
DeleteThanks for writing back.
Could you please provide more detail about the issue you want to fix?
Thanks
Windows Speculative Execution Configuration Check - how to fix this vulnerability on windows machines
ReplyDeleteHi,
DeleteThanks for writing back.
Could you please provide more detail about the issue you want to fix?
Thanks
hi
ReplyDeletemy path is %ProgramFiles%\Windows Identity foundation\V3.5\c2wtshost.exe
so all i need is add the two quote front and back like "%ProgramFiles%\Windows Identity foundation\V3.5\c2wtshost.exe"
Thank you for this!
ReplyDeleteAmazing! Thank you!
ReplyDeleteThanks!
ReplyDeletedoes this require reboot /restart after quoted ..Kindly confirm
ReplyDeleteThe system would not enforce to restart/reboot after making the changes, but its recommended to restart the system to ensure the changes take affect.
DeleteIs there a way to do this via editing the registry via a batch file?
ReplyDeleteHi editing the path with quote is causing app to crash. Any solution or help?
ReplyDeleteissues could be specific to the applications how they behave once you modify certain registry.
DeleteHello Sir
ReplyDeleteI need for apply the below vulnerability to Windows 10 any solution or help? thank you.
Microsoft Windows Unquoted Service Path Enumeration port 445 vulnerability
May I just add one more "thank you" to the list? Thank you!!!
ReplyDelete