# MICROSOFT'S UNQUOTED SERVICES ## :book: Introduction Unquoted Services is a misconfiguration in the service's paths with spaces that allow executing a malicious binary. This is a very common but dangerous vulnerability. Let's see how it works and how prevent it. ## 🧰 Deploying the vulnerable service First, we have to create a service. I will create a service named vulnservice, and the same name for the valor "DisplayName" (name in the task manager). Also, this service will run a binary named superhelloworld located in a folder on the godly's desktop after a reboot. ```bash=1 sc create (name) start= auto binPath= "PATH\TO\SERVICE\BIN" DisplayName= (name) ``` ![](https://i.imgur.com/3NkeQNz.png) :::info Important note: The quotes of the command aren't real quotes. Is only for specify the binary path. Create a service in this way is very insecure. ::: After creating the services, we can check that is insecure with the winm command and various parameters in order to filter services without quotes. ```bash= wmic service get name,displayname,pathname,startmode |findstr /i /v “C:\Windows\\” | findstr /i /v “”” ``` ![](https://i.imgur.com/9JuL8ja.png) Cool (or not), the services is vulnerable. So, how we can exploit this? ## :collision: Exploiting the vulnerable service The way to exploit the services not is hard. We only need to put the malicious binary in the path where finish a space. For example: If the binary's path is: ```bash=1 "C:\United Kingdom\Hogwarts\Slytherin Common\Draco Malfoy\snake.exe" ``` Windows try to load the binary service in the nexts paths: ```bash=1 "C:\United.exe" "C:\United Kingdom\Hogwarts\Slytherin.exe" "C:\United Kingdom\Hogwarts\Slytherin Common\Draco.exe" "C:\United Kingdom\Hogwarts\Slytherin Common\Draco Malfoy\snake.exe" ``` So, if we put the malicious executable in one of the previous paths (except the last), Windows first run our malicious binary. For this example, I used the Mimikatz binary. ![](https://i.imgur.com/n2Flcvj.png) After a reboot, we can start the service with the net command. ```bash=1 net start (nameservice) net stop (nameservice) net restart (nameservice) ``` If we go to the task manager, we can see that the mimikatz process is running in background. ![](https://i.imgur.com/uYUtbsj.png) ## :shield: Create secure services To create a secure services, we have to add a doble quotes with backslashs. ```bash=1 sc create (name) start= auto binPath= "\"PATH\TO\SERVICE/BIN"\" DisplayName= (name) ``` ![](https://i.imgur.com/jowNPwM.png) If we check again the service win the winm command, it isn't in the output. So, now, the services not is vulnerable to path inclusion.