In episode #341 of the 7 Minute Security podcast I talked about how to identify - and remediate - the unquoted service path vulnerabilities you might see pop up on a vulnerability scan. Here's the breakdown of resources that will help you understand and fix this pesky vuln:
-
Here's a great article describing unquoted service paths and why they're a risk to your enterprise.
-
If you want to create a fake service with unquoted service paths so you can then test fixing it, check out this gist which has you run something like the following:
New-Service -Name 'TotesFakeService' -BinaryPathName 'C:\program files\system32\something.exe' -DisplayName 'Totes Fake Dude' -StartupType Manual
* Download this script and import it into your machine, then run (Looks like this script is no longer available)Fix-ServicePath
to seek out and destroy (er, fix) any unquoted service paths on your machine.
-
Check out this script to find and fix unquoted service paths.
-
To really bury the hatchet, reboot your machine and ensure all service start up cleanly, and you could even rescan it with Nessus/Qualys/etc. to make sure unquoted service path (Nessus plugin ID 63155) doesn't show up anymore. Or, for a quicker command line check, run this:
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
The results should be "empty" if all service paths are properly quoted.
Thank you @leptoid ! Updated the gist. Much appreciated.