During pentest engagement we often manage to get a shell (usually it’s enough to prove your point) but what if one can truly get a complete hold of system ?
So there are tons of privilege escalation techniques out there which includes exploiting kernel level bug, mis-configurations so on and so forth.
One of the ways to get elevated access is to exploit unquoted service paths of services running under high privileged user such as administrator or system account
The concept behind unquoted service is service path name contains white space windows assumes that anything before white space is the binary location and anything after that is argument, if it fails to to locate any binary there then it moves on to next directory defined in service path name, to make it more clear lets take a look at below example:-
C:\Program Files\Company Name\AppName Version\App_Binary.exe
when the service starts windows will first look for Programs.exe in C:\ if it does not find any binary named as Program.exe then it will look for Company.exe again if it finds any binary named Company.exe windows will execute it instead of orignal binary i.e App_Binary.exe
So in order to exploit this scenario following conditions must meet:-
1-Service running under high privileged account i.e administrator/system
2-Service path must contain white space
3-One must have write access to directories of the service/app.
For demo purpose Foxit PDF Reader version 22.214.171.1246
Download Link:- http://www.oldapps.com/foxit_reader.php?old_foxit_reader=15897?download
The following screenshot shows that we already have a limited access to system
The following wmic query stolen shamelessly from internet can help in identifying unquoted service paths
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
with the help of cacls utility that we can enumerate permissions, which in our case provides append rights to unprivileged user which means one can create files in that directory.
Uploading file to directory….
Once the service is restarted it will execute our binary instead of intended one and provide us with elevated privileges.