PowerShell: Remediate Microsoft Windows Unquoted Service Path Enumeration

Description
The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.

Note that this is a generic test that will flag any application affected by the described vulnerability.
 
(Source: Tenable.IO)
 
Solution
Ensure that any services that contain a space in the path enclose the path in quotes.

There are more than one way to skin this rabbit. The manual method of doing it is time consuming. Why use the proverbial knife to perform this task when a security company, Vector BCO has already provided the machinery to instantly convert rabbits to predigested protein? I don’t like this analogy any more than you do, so I’ll stop doodling and get to the point.

Oh, the point… There’s this PowerShell Script to Automate a Fix for Windoze boxes residing in environments that are proxy controlled.

#Set Proxy values
$proxy="http://proxy:8080";
$exclusionList="localhost;*.kimconnect.com"

function fixProxy{

# Check if proxy is enabled on the system and fix it
$proxyKey=(Get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
if ($proxyKey.ProxyEnable){
# Set http proxy for browsers
Set-Itemproperty -path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name 'ProxyServer' -value $proxy

# Set winhttp proxy for PowerShell
netsh winhttp set proxy $proxy $exclusionList
[system.net.webrequest]::defaultwebproxy = New-Object system.net.webproxy($proxy)
[system.net.webrequest]::defaultwebproxy.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
[system.net.webrequest]::defaultwebproxy.BypassProxyOnLocal = $true
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
}

if (checkProxy){
"Proxy is now good to go..."
$GLOBAL:haveInternet=$True;
}
else{
"Proxy problems..."
$GLOBAL:haveInternet=$False;
break;
}
}

function checkProxy{
try{
$connectionTest=iwr download.microsoft.com
if ($connectionTest){
$haveInternet=$True;
return $True;
}
}
catch{
return $False
}
}


function fixUnquotedServicePathEnum{
if (!($haveInternet)){fixProxy;}

$fixScriptDownload="https://kimconnect.com/wp-content/uploads/2019/05/Windows_Path_Enumerate.zip"
$fixScriptDestination="C:\Temp\Windows_Path_Enumerate.zip"
$destination="C:\Temp"
(New-Object System.Net.WebClient).DownloadFile($fixScriptDownload, $fixScriptDestination)
expand-archive -path $fixScriptDestination -destinationpath $destination
C:\Temp\Windows_Path_Enumerate.ps1 -FixUninstall -FixEnv

<# This doesn't work if proxy and blocking ps1 downloads or Microsoft requires a manual trigger of agreement
$fixScriptDestination="C:\Temp\Windows_Path_Enumerate.ps1"
$fixScriptDownload="https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341/file/136821/7/Windows_Path_Enumerate.ps1"
(New-Object System.Net.WebClient).DownloadFile($fixScriptDownload, $fixScriptDestination)
C:\Temp\Windows_Path_Enumerate.ps1 -FixUninstall -FixEnv
#>
}

fixUnquotedServicePathEnum;
Expected Output
C:\Users\kimconnect\Desktop\unit-test.ps1
2019-05-10 18:05:10Z : INFO : Executed x64 Powershell on x64 OS
2019-05-10 18:05:10Z : INFO : Computername: KOMPUTER
2019-05-10 18:05:10Z : Old Value : Service : 'ams' - C:\Program Files\OEM\AMS\service\ams.exe
2019-05-10 18:05:10Z : Expected : Service : 'ams' - "C:\Program Files\OEM\AMS\service\ams.exe"
2019-05-10 18:05:10Z : SUCCESS : Path value was changed for Service 'ams'
2019-05-10 18:05:11Z : Old Value : Service : 'sma' - C:\Program Files\OEM\AMS\service\sma.exe
2019-05-10 18:05:11Z : Expected : Service : 'sma' - "C:\Program Files\OEM\AMS\service\sma.exe"
2019-05-10 18:05:11Z : SUCCESS : Path value was changed for Service 'sma'
2019-05-10 18:05:11Z : Old Value : Software : '{92F2A534-C3E4-4B18-BEBD-329F5E848C8B}' - C:\Program Files\Altiris\Altiris Agent\aexnsagent
.exe /uninstall
2019-05-10 18:05:11Z : Expected : Software : '{92F2A534-C3E4-4B18-BEBD-329F5E848C8B}' - "C:\Program Files\Altiris\Altiris Agent\aexnsagen
t.exe" /uninstall
2019-05-10 18:05:11Z : SUCCESS : Path value was changed for Software '{92F2A534-C3E4-4B18-BEBD-329F5E848C8B}'
Additional Information from Tenable.IO
Risk Information

Risk Factor: Medium
CVSS v3.0 Base Score: 7.8
CVSS v3.0 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v3.0 Temporal Vector: E:P/RL:O/RC:C
CVSS v3.0 Temporal Score: 7.0
CVSS Base Score: 6.9
CVSS Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 5.4
CVSS Temporal Vector: E:POC/RL:OF/RC:C

Vulnerability Information

Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Pub Date: 09/15/12 at 12:00 AM
Exploitable With
Metasploit (Windows Service Trusted Path Privilege Escalation)

Reference Information

CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1609, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0759, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5455
ICSA: 14-058-01

Leave a Reply

Your email address will not be published. Required fields are marked *