In episode #341 of the 7 Minute Security podcast I talked about how to identify - and remediate - the unquoted service path vulnerabilities you might see pop up on a vulnerability scan. Here's the breakdown of resources that will help you understand and fix this pesky vuln:
-
Here's a great article describing unquoted service paths and why they're a risk to your enterprise.
-
If you want to create a fake service with unquoted service paths so you can then test fixing it, check out this gist which has you run something like the following:
New-Service -Name 'TotesFakeService' -BinaryPathName 'C:\program files\system32\something.exe' -DisplayName 'Totes Fake Dude' -StartupType Manual
* Download this script and import it into your machine, then run (Looks like this script is no longer available)Fix-ServicePath to seek out and destroy (er, fix) any unquoted service paths on your machine.
-
Check out this script to find and fix unquoted service paths.
-
To really bury the hatchet, reboot your machine and ensure all service start up cleanly, and you could even rescan it with Nessus/Qualys/etc. to make sure unquoted service path (Nessus plugin ID 63155) doesn't show up anymore. Or, for a quicker command line check, run this:
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
The results should be "empty" if all service paths are properly quoted.
The listed link does not seem to bring up the fix anymore. The author of the script hosts it on Github though.
https://github.com/VectorBCO/windows-path-enumerate