Unquoted Service Paths

The Risk

The remote Windows host contains services installed that use unquoted service paths, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.

The Fix

1. Open the registry editor in Administrator Mode
2. Goto HKLM\System\CurrentControlSet\Services
3. Locate the service which has been highlighted as the issue
   

   e.g.

   • OpenVPNConnectorService
     Value name: ImagePath
     Value data: C:\Program Files\OpenVPN Connect\ovpnconnector.exe run
4. Enclose the path in quote marks
   

   e.g.

   • OpenVPNConnectorService
     Value name: ImagePath
     Value data: "C:\Program Files\OpenVPN Connect\ovpnconnector.exe" run

Also

You can search for any "Unquoted Path" issues using the following PowerShell command.

Get-CimInstance Win32_Service | Where-Object { $_.PathName -and $_.PathName.TrimStart() -notlike '"*' -and ($_.PathName -imatch '^\s*(?<bin>.+?\.exe)') -and ($Matches['bin'] -match '\s') -and ($Matches['bin'] -notmatch '(?i)^%SystemRoot%\\|^C:\\Windows\\') } | Select-Object Name,StartMode,PathName | Format-Table -AutoSize

You can also run a script to modify any identified paths, either as a one-time task or as a recurring task within an RMM tool or similar.  The PowerShell below is a quick onliner to fix these.

Get-CimInstance Win32_Service | Where-Object { $_.PathName -and $_.PathName.TrimStart() -notlike '"*' -and $_.PathName -match '^\s*(.+?\.exe)' -and $Matches[1] -match '\s' -and $Matches[1] -notmatch '(?i)^%SystemRoot%\\|^C:\\Windows\\' } | ForEach-Object { $old=$_.PathName; $new=$old -replace '^\s*(.+?\.exe)(\s.*)?$', '"$1"$2'; Write-Host ("Fixing {0}: {1} -> {2}" -f $_.Name,$old,$new); Set-ItemProperty -Path ("HKLM:\SYSTEM\CurrentControlSet\Services\{0}" -f $_.Name) -Name ImagePath -Value $new }