Unquoted Service Path Vulnerability — MiniTool ShadowMaker v12.7
Introduction
Microsoft Windows offers a wide range of fine-grained permissions and privileges for controlling access to Windows components, including services, files, and registry entries. Exploiting the Unquoted Service path is one technique for increasing privileges.
Unquoted Service path is reported as a critical vulnerability in Windows. It allows an attacker to escalate privileges from a regular user to an NT AUTHORITY/SYSTEM user.
This article will discuss a vulnerability I found on MiniTool ShadowMaker v12.7 called “Unquoted Service Path”.
Table of Content
– About MiniTool
– What is a Windows Service
– The Differences between Windows Services and Regular Processes
– What is Unquoted Service Path Vulnerability
– Reproduce the Attack
– Proof-of-Concept (POC)
– Impact of Unquoted Service Path
– Unquoted Service Path Detection
– Unquoted Service Path Prevention
About MiniTool
MiniTool is a software development company specializing in data recovery, partition management, and backup solutions.
They offer partition management tools, such as MiniTool Partition Wizard, which allow users to organize and optimize their hard drives.
Additionally, MiniTool provides backup and recovery solutions through products like MiniTool ShadowMaker, offering complete system backups and data protection.
MiniTool’s software is known for its user-friendly interfaces, powerful functionality, and reliable customer support. Compatible with Windows and Mac systems, MiniTool caters to a wide range of users and helps them manage, recover, and protect their valuable data.
What is a Windows Service
A Windows Service is a background process in the Windows operating system that runs without a user interface.
It performs specific tasks or provides functionality like network communication, database management, or hardware control.
Services start automatically when the system boots up, run independently of any logged-in user, and are managed by the Service Control Manager.
They ensure continuous functionality and perform system-level operations that regular applications cannot. Examples include antivirus software, web servers, and print spoolers.
The Differences between Windows Services and Regular Processes
· Launch Mechanism – The end-user manually launches a regular application from the desktop or Start Menu. Examples include web browsers, document editing software, and PDF readers. Windows Services start when the machine is switched on. Note, however, that regular applications can be added to the Startup folder in the Start Menu, which would begin automatically once the operating system startup is complete.
· User Interface – Unlike regular applications, Windows Services do not have a user interface. They run in the background, and the user does not directly interact with them. A Windows Service does not stop when a user logs off the computer, but a regular application will.
· Multiple Instances – Only one instance of a Windows Service runs on a device. Regular applications allow multiple copies if several users are logged into the same machine.
· Administrator Rights – Windows Services usually run under SYSTEM privileges even when a non-administrator user is logged in and using the computer. The average Windows Service has more control over the machine than a regular application.
What is Unquoted Service Path Vulnerability
An Unquoted Service Path is a vulnerability created by a service whose executable path contains spaces and is not enclosed within quotes.
This kind of vulnerability, Unquoted Service Path, allows users to gain SYSTEM privileges.
If the service is not enclosed within quotes and has spaces, the system will take a break and put a .exe extension in every name with spaces.
It’s important to check if you have permission to Write to one of the folders in the path for delivering your executable file.
Reproduce the Attack
To exploit the unquoted service path, the attacker should take the following steps:
1. Open the CMD prompt and type the following command:
wmic service get name, displayname, pathname, startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””
2. The command will print to your screen the unquoted service paths that exist in your system:
C:\Program Files\MiniTool ShadowMaker\AgentService.exe
C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe
3. Create a malicious executable file and name it under the folder’s name with a space, such as Program.exe, or MiniTool.exe.
4. Insert the file in one of the folders in the path (depending on the executable’s name).
5. Reboot the system.
6. Get a reverse shell as a SYSTEM user.
Proof-of-Concept (POC)
For PoC, click here
Impact of Unquoted Service Path Vulnerability
The impact of this vulnerability may be:
1. Privilege Escalation: An attacker can exploit the unquoted service path vulnerability to gain control of Windows systems with elevated privileges.
An attacker can insert a malicious executable file into a directory with a space in its path, and the software’s service may run the malicious executable file instead of its intended target.
2. System Compromise: An attacker can access the system with the highest privileges.
This can allow attackers to steal sensitive data, delete critical system files, or turn off Antivirus software.
3. Persistence: An attacker can exploit the unquoted service path vulnerability and maintain access and control over the system even after a reboot or other system changes.
Unquoted Service Path Detection
To detect an unquoted service path in software, you can run the following command in a CMD prompt:
wmic service get name, displayname, pathname, startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””
Then you can detect software vulnerable to such unquoted service path vulnerability.
Unquoted Service Path Prevention
To prevent an unquoted service path in software, you need to take the following steps:
1. Open Regedit as an administrator.
2. Enter the path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTAgentService
3. Double-click “ImagePath” and add quotes to the path, like: “C:\Program Files\MiniTool ShadowMaker\AgentService.exe.”
4. Repeat the steps to change the path to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTSchedulerService.
5. Run the command in the CMD prompt:
wmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v “C:\Windows\\” | findstr /i /v “””
On 06/07/2023, I received two CVEs about the Unquoted Service Path vulnerability in the MiniTool product:
CVE-2023–36164
CVE-2023–36165
Unfortunately, after two weeks, I received a message from MITRE that the signatures were created by mistake and they are rejecting the CVEs signatures that they brought me for some reason.