Path Interception by Unquoted Path

Adversaries may execute their ow malicious payloads by hijacking vulnerable path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Service paths and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\unsafe path with pace\program.exe"). (stored in Windows Registry Keys)An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program.

This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by higher privileged process.

Example:

A very popular and well known technique usually some software have very minor but important configurations missing for example Quoting ("") a full path of a file or binary, we are aware that Windows has some folders that contain spaces in them (C:\Program Files\) and these folders or paths without a quote windows sees them as an End Line where that is a termination of a file name, here is the reason why it's necessary to quote the path so windows sees it as a complete path when a space(" ") is in the path name.

It's important to have these quoted paths since windows will not find the assigned file or binary when doing its search when a service is started, in this situation an attacker can take advantage of this and add a malicious payload on a path that come's before the intended one.

A very great tool that I recently have found and its output is very clean is PrivescCheck.

The output is user friendly and it even has an Highlighted section at the end of its run that puts everything tidied up for you so you can find the vulnerability.

Sample:

So let us pay attention to the Unquoted Path Result

Look at this Ccleaner is Unquoted and it’s a Service where the Path is Modifiable but we see that the C:\ Path is WRTIE accessible. But unfortunately as a User we don't have permissions to Start or Restart so what best option do we have, well I wouldn't call these Ethical but we can probably Crash the OS and have a force reboot ONLY if it's not possible to Restart as a User. But here for the sake of Demonstration I will Restart it as the Administrator and have my Payload executed.

Last updated