Identify UnQuoted Vulnerabilities and then Fix

A fix for unquoted path vulnerabilities

I previously covered how to abuse an unquoted paths vulnerabiltiy (here), but at the time I hadn't  formualted a fix and I dont remember seeing anything on Google. Download the text file at the bottom of the page, rename the extension to .ps1 and run as administrator. Of course normal rules apply, its at your own risk so simply testing first.


    #Identify Unquoted paths

    $vulnSvc = gwmi win32_service | foreach{$_} | 

        where {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} | 

        where {-not $_.pathname.startswith("`"")} | 

        where {($_.pathname.substring(0, $_.pathname.indexof(".exe") + 4 )) -match ".* .*" }

    

    $vulnSvc | Write-Host


    #Fix Unquoted path issues

    $vulnSvc | Write-Host

        foreach ($unQSvc in $vulnSvc)

            {

            $svc = $unQSvc.name

            $SvcReg = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\$svc

                if ($SvcReg.imagePath -like "*.exe *")

                {

                    $SvcRegSp =  $SvcReg.imagePath -split ".exe"

                    $SvcRegSp0 = $SvcRegSp[0]

                    $SvcRegSp1 = $SvcRegSp[1]

                    $image = "`"$SvcRegSp0" + ".exe`"" + " " + $SvcRegSp1

                    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" -Name ImagePath -Value $image

                }

                if ($SvcReg.imagePath -like "*.sys *")

                {

                    $SvcRegSp =  $SvcReg.imagePath -split ".sys"

                    $SvcRegSp0 = $SvcRegSp[0]

                    $SvcRegSp1 = $SvcRegSp[1]

                    $image = "`"$SvcRegSp0" + ".sys`"" + " $SvcRegSp1"

                    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" -Name ImagePath -Value $image

                }

                if ($SvcReg.imagePath -like "*.exe") 

                {

                    $image = $SvcReg.ImagePath

                    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" -Name ImagePath -Value "`"$image`""

                }

            }