Unquoted Service Paths

Windows Local Privilege EscalationHackTricks

If the path to a service (which runs on SYSTEM, for example) doesn’t have quotes around it, then it’s vulnerable. Let’s say there’s a program called program.exe with the path

C:\PROGRAM FILES\SUB DIR\PROGRAM NAME

Then in the below path, the asterisks are all places you can put your own program.exe to have it get executed when the service gets restarted.

C:\PROGRAM*FILES\SUB*DIR\PROGRAM*NAME

Note that you might need to be an admin to write under C:\, but who knows, maybe the subdirectories will allow it.

One-liner to check existence:

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Metasploit module: exploit/windows/local/trusted_service_path