While testing a Windows workstation, a consultant observes that a background service references an executable path that includes spaces but lacks quotation marks. The service is running under a high-level account. The consultant intends to gain advanced permissions on the system. Which method is an effective technique to accomplish this?
Rename the service binary on disk and rely on a shared library with a similar name
Stop the service, reset account credentials, and use a scheduled task to run unexpected code
Modify the registry run key for this service to point toward a hidden subfolder
Place a malicious file in the directory that matches the path up to the first space
Placing a malicious file in the unquoted path leverages how the operating system parses paths with spaces. This allows the malicious file to be executed with the same level of permissions as the service. Renaming the original service binary or changing run keys do not exploit this specific flaw in how paths are parsed. Disabling the service and trying other approaches also does not utilize the missing quotes to gain advanced permissions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why does the lack of quotation marks in a file path cause a vulnerability?
Open an interactive chat with Bash
How can permissions of the affected service increase the severity of this vulnerability?
Open an interactive chat with Bash
How can organizations prevent unquoted path vulnerabilities?