Identify UnQuoted Vulnerabilities and then Fix
A fix for unquoted path vulnerabilities
I previously covered how to abuse an unquoted paths vulnerabiltiy (here), but at the time I hadn't formualted a fix and I dont remember seeing anything on Google. Download the text file at the bottom of the page, rename the extension to .ps1 and run as administrator. Of course normal rules apply, its at your own risk so simply testing first.
#Identify Unquoted paths
$vulnSvc = gwmi win32_service | foreach{$_} |
where {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} |
where {-not $_.pathname.startswith("`"")} |
where {($_.pathname.substring(0, $_.pathname.indexof(".exe") + 4 )) -match ".* .*" }
$vulnSvc | Write-Host
#Fix Unquoted path issues
$vulnSvc | Write-Host
foreach ($unQSvc in $vulnSvc)
{
$svc = $unQSvc.name
$SvcReg = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\$svc
if ($SvcReg.imagePath -like "*.exe *")
{
$SvcRegSp = $SvcReg.imagePath -split ".exe"
$SvcRegSp0 = $SvcRegSp[0]
$SvcRegSp1 = $SvcRegSp[1]
$image = "`"$SvcRegSp0" + ".exe`"" + " " + $SvcRegSp1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" -Name ImagePath -Value $image
}
if ($SvcReg.imagePath -like "*.sys *")
{
$SvcRegSp = $SvcReg.imagePath -split ".sys"
$SvcRegSp0 = $SvcRegSp[0]
$SvcRegSp1 = $SvcRegSp[1]
$image = "`"$SvcRegSp0" + ".sys`"" + " $SvcRegSp1"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" -Name ImagePath -Value $image
}
if ($SvcReg.imagePath -like "*.exe")
{
$image = $SvcReg.ImagePath
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$svc" -Name ImagePath -Value "`"$image`""
}
}