UnQuoted Paths Validation

If an attacker with user level privileges can abuse unquoted paths they can potentially gain system.

The Unquoted paths vulnerability is when a Windows Service's 'Path to Executable' contains spaces and not wrapped in double quotes.


If SoftwareA path to executable is vulnerable and the attacker is able to drop malware into the following path locations with the file  renamed to match the first word of the folder, before the space of the sub-folder. 


C:\Program.exe

C:\Program Files (x86)\SoftwareA.exe

C:\Program Files (x86)\SoftwareA\Update.exe

C:\Program Files (x86)\SoftwareA\Update\SoftwareAUpdate.exe


#Whos running the script

$who = (whoami).split("\")[1]

$outFile = "C:\users\$who\Desktop\VulnApps.txt" 


#Unquoted paths

"UnQuoted Path Vulnerabilities" | Out-File $outFile

"" | Out-File $outFile -Append


$vulnSvc = gwmi win32_service | foreach{$_} | 

    where {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} | 

    where {-not $_.pathname.startswith("`"")} | 

    where {($_.pathname.substring(0, $_.pathname.indexof(".exe") + 4 )) -match ".* .*" }


$vulnSvc.name | out-file $outFile -Append


start notepad.exe $outFile