SERVICES > Unquoted Path not work as expected about privesccheck HOT 3 CLOSED

Hi!

Your analysis is correct, you did not do anything wrong. I think I might have introduced a regression in the code at some point. 😬

No worries, you don't need to write code or submit a PR to contribute. Opening an issue with this level of detail is largely enough to help. 🙂

Thanks for reporting this bug. I'll have a look at this. 👍

from privesccheck.

Thanks to the information you reported, I was able to reproduce the issue on my lab machine.

There were two problems:

1. I was checking whether the permission WriteData/AddFile was granted. That was valid before I implemented a helper function that makes the difference between files and folders. This helper just returns WriteData if it's a file, and AddFile if it's a folder. I forgot to update the code to reflect this change, hence the first regression.
2. At some point, I modified the helper function Get-ModifiablePath so that it returns the permission as a string (joined array) rather than an array. Since I had a test like $PermissionSet -contains $Permission, this did no longer work. This was the second regression.

Now, it should report exploitable unquoted paths correctly.

+------+------------------------------------------------+------+
| TEST | SERVICES > Unquoted Path                       | VULN |
+------+------------------------------------------------+------+
| DESC | List registered services and check whether any of     |
|      | them is configured with an unquoted path that can be  |
|      | exploited.                                            |
+------+-------------------------------------------------------+
[*] Found 1 result(s).


Name              : unquotedsvc
ImagePath         : c:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe
User              : LocalSystem
ModifiablePath    : C:\Program Files\Unquoted Path Service
IdentityReference : BUILTIN\Users
Permissions       : Delete, WriteAttributes, Synchronize, ReadControl, ListDirectory, AddSubdirectory,
                    WriteExtendedAttributes, ReadAttributes, AddFile, ReadExtendedAttributes, Traverse
Status            : Stopped
UserCanStart      : False
UserCanStop       : False

The moral of the story is "I should have implemented unit tests"... :/

Anyways, thank you very much for reporting this. This is much appreciated. 🙏

from privesccheck.

🙏 Thank you for providing a detailed description of the issue and quickly resolving it. I will now close this issue. 🌟

from privesccheck.