Microsoft Windows Unquoted Service Path Enumeration - Nessus

High   Plugin ID: 63155

This page contains detailed information about the Microsoft Windows Unquoted Service Path Enumeration Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 63155
Name: Microsoft Windows Unquoted Service Path Enumeration
Filename: smb_enum_unquoted_service_paths.nasl
Vulnerability Published: 2012-09-15
This Plugin Published: 2012-12-05
Last Modification Time: 2020-06-12
Plugin Version: 1.22
Plugin Type: local
Plugin Family: Windows
Dependencies: smb_enum_services_params.nasl, symantec_encryption_desktop_sym13-010.nasl, symantec_enterprise_security_manager_sym12-020.nasl, symantec_wsa_sym15-004.nasl
Required KB Items [?]: SMB/Services/Enumerated

Vulnerability Information

Severity: High
Vulnerability Published: 2012-09-15
Patch Published: N/A
CVE [?]: CVE-2013-1609, CVE-2014-0759, CVE-2014-5455
CPE [?]: N/A

Synopsis

The remote Windows host has at least one service installed that uses an unquoted service path.

Description

The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.

Note that this is a generic test that will flag any application affected by the described vulnerability.

Solution

Ensure that any services that contain a space in the path enclose the path in quotes.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Microsoft Windows Unquoted Service Path Enumeration vulnerability:

  1. Metasploit: exploit/windows/local/unquoted_service_path
    [Windows Service Trusted Path Privilege Escalation]
  2. Exploit-DB: exploits/windows_x86/local/34037.txt
    [EDB-34037: OpenVPN Private Tunnel Core Service - Unquoted Service Path Privilege Escalation]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
CVSS Base Score:6.9 (Medium)
Impact Subscore:10.0
Exploitability Subscore:3.4
CVSS Temporal Score:5.4 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:5.4 (Medium)
CVSS V3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CVSS Base Score:7.8 (High)
Impact Subscore:5.9
Exploitability Subscore:1.8
CVSS Temporal Score:7.0 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:7.0 (High)

Go back to menu.

Plugin Source

This is the smb_enum_unquoted_service_paths.nasl nessus plugin source code. This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. 

#
# (C) Tenable Network Security, Inc
#

include("compat.inc");

if (description)
{
  script_id(63155);
  script_version("1.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2013-1609", "CVE-2014-0759", "CVE-2014-5455");
  script_bugtraq_id(58591, 58617, 65873, 68520);
  script_xref(name:"ICSA", value:"14-058-01");
  script_xref(name:"EDB-ID", value:"34037");

  script_name(english:"Microsoft Windows Unquoted Service Path Enumeration");
  script_summary(english:"Generic check for unquoted service paths.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has at least one service installed that uses
an unquoted service path.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host has at least one service installed that uses
an unquoted service path, which contains at least one whitespace. A
local attacker can gain elevated privileges by inserting an executable
file in the path of the affected service.

Note that this is a generic test that will flag any application
affected by the described vulnerability.");
  # https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?84a4cc1c");
  script_set_attribute(attribute:"see_also", value:"http://cwe.mitre.org/data/definitions/428.html");
  script_set_attribute(attribute:"see_also", value:"https://www.commonexploits.com/unquoted-service-paths/");
  # http://www.ryanandjeffshow.com/blog/2013/04/11/powershell-fixing-unquoted-service-paths-complete/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4aa6acbc");
  script_set_attribute(attribute:"solution", value:
"Ensure that any services that contain a space in the path enclose the
path in quotes.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Windows Service Trusted Path Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/09/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/12/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.");

  script_dependencies("smb_enum_services_params.nasl", "symantec_encryption_desktop_sym13-010.nasl", "symantec_enterprise_security_manager_sym12-020.nasl", "symantec_wsa_sym15-004.nasl");
  script_require_keys("SMB/Services/Enumerated");

  exit(0);
}

include("audit.inc");
include("misc_func.inc");
include("global_settings.inc");
include("smb_func.inc");

function extract_service_path()
{
  local_var item, idx;

  item = _FCT_ANON_ARGS[0];
  # If the first character is a '"', the path is enclosed, so just use
  # that to extract the path
  if (item =~ '^"')
  {
    item = ereg_replace(pattern:'^("[^"]+").*', string:item, replace:"\1");
  }
  else
  {
    # First extract any extra paths from the arguments
    item = ereg_replace(pattern:'^(\\s+)?("?([A-Za-z]:|\\\\)\\\\[^:]+).*', string:item, replace:"\2");

    # Service arguments use '-' or '/' characters for flags
    # First look for '/' flags
    if ('/' >< item)
    {
      idx = stridx(item, '/');
      item = item - substr(item, idx);
    }

    # Now look for ' -' flags
    if (' -' >< item)
    {
      idx = stridx(item, ' -');
      item = item - substr(item, idx);
    }

    # Some arguments don't use a flag
    item = ereg_replace(pattern:'^(([A-Za-z]:|\\\\)\\\\.*\\\\[^\\.]+\\.[^\\s]+).*', string:item, replace:"\1");
  }
  return item;
}

slist = get_kb_list_or_exit('SMB/svc/*/startuptype');
services = make_list();

# Unless we are paranoid, only focus on the services that
# aren't disabled
if (report_paranoia < 2)
{
  foreach service (keys(slist))
  {
    if (slist[service] == 2 || slist[service] == 3)
    {
      services = make_list(services, service - 'SMB/svc/' - '/startuptype');
    }
  }
}
else
{
  foreach service (keys(slist))
  {
    services = make_list(services, service - 'SMB/svc/' - '/startuptype');
  }
}

# Ignore services that we are explicitly checking in other
# plugins
items = get_kb_list('SMB/Unquoted/*');
unquoted = make_array();
if (!isnull(items))
{
  foreach key (keys(items))
  {
    key = key - 'SMB/Unquoted/';
    unquoted[key] = TRUE;
  }
}
# Loop over the services and check the executable path
path = '';
info = '';
for (i=0; i < max_index(services); i++)
{
  # We have a separate check for the PGP RDD Service
  service = services[i];
  if (unquoted[service]) continue;

  item = get_kb_item('SMB/svc/'+services[i]+'/path');
  if (isnull(item)) continue;
  # Parse the service to get the path
  path = extract_service_path(item);

  # If there is a space in the path and it isn't enclosed in '"'
  # there is a problem
  if (' ' >< path && path !~ '^".*"$')
  {
    # Make sure the whitespace isn't only at the end of the path
    if (path !~ '^[^\\s]+\\s+$')
    {
      info += '  ' + services[i] + ' : ' + path + '\n';
    }
  }
}

if (info)
{
  port = get_kb_item('SMB/transport');
  if (report_verbosity > 0)
  {
    if (max_index(split(info, sep:'\n')) > 1) s = 's ';
    else s = ' ';

    report =
      '\nNessus found the following service' + s + 'with an untrusted path : ' +
      '\n' +
      info +
      '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/smb_enum_unquoted_service_paths.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\smb_enum_unquoted_service_paths.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/smb_enum_unquoted_service_paths.nasl

Go back to menu.

How to Run

Here is how to run the Microsoft Windows Unquoted Service Path Enumeration as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select Microsoft Windows Unquoted Service Path Enumeration plugin ID 63155.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl smb_enum_unquoted_service_paths.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a smb_enum_unquoted_service_paths.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - smb_enum_unquoted_service_paths.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state smb_enum_unquoted_service_paths.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: ICSA | ICS Advisory: See also: Similar and related Nessus plugins:
  • 26919 - Microsoft Windows SMB Guest Account Local User Access
  • 34412 - MS08-059: Microsoft Host Integration Server (HIS) SNA RPC Request Remote Overflow (956695) (uncredentialed check)
  • 34477 - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (ECLIPSEDWING) (uncredentialed check)
  • 34821 - MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution (958644) (ECLIPSEDWING) (uncredentialed check / IPS)
  • 35362 - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)
  • 35634 - MS KB960715: Cumulative Security Update of ActiveX Kill Bits
  • 35635 - MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) (uncredentialed check)
  • 46017 - MS10-025: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858) (uncredentialed check)
  • 47045 - MS KB2219475: Windows Help Center hcp:// Protocol Handler Arbitrary Code Execution
  • 47556 - MS10-012: Vulnerabilities in SMB Could Allow Remote Code Execution (971468) (uncredentialed check)
  • 47750 - MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP)
  • 48405 - MS10-054: Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214) (remote check)
  • 49274 - MS KB2401593: Microsoft Outlook Web Access (OWA) CSRF
  • 51587 - MS KB2488013: Internet Explorer CSS Import Rule Processing Arbitrary Code Execution
  • 53503 - MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) (remote check)
  • 55286 - MS11-048: Vulnerability in SMB Server Could Allow Denial of Service (2536275) (remote check)
  • 62224 - MS KB2755399: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
  • 63372 - MS KB2794220: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)
  • 64508 - MS KB2811522: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
  • 66423 - MS KB2820197: Update Rollup for ActiveX Kill Bits
  • 71325 - MS KB2907997: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
  • 72286 - MS KB2929825: Update for Vulnerability in Adobe Flash Player in Internet Explorer
  • 73742 - MS KB2961887: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 73865 - MS KB2962393: Update for Vulnerability in Juniper Networks Windows In-Box Junos Pulse Client (Heartbleed)
  • 76416 - MS KB2974008: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 77170 - MS KB2982794: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 77580 - MS KB2987114: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 78444 - MS KB3001237: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 78447 - MS KB3009008: Vulnerability in SSL 3.0 Could Allow Information Disclosure (POODLE)
  • 79145 - MS KB3004150: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 80333 - Microsoft Visual Studio .gitconfig Command Execution
  • 81046 - MS KB3035034: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 81209 - MS KB3021953: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 81732 - MS KB3044132: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file smb_enum_unquoted_service_paths.nasl version 1.22. For more plugins, visit the Nessus Plugin Library.

Go back to menu.