I’m trying to find a reg key that doesn’t have quotes around the file path, and then apply a reg key to add the quotes. This is to remediate the “Windows Unquoted Search Path or Element can allow local privilege escalation” vulnerability.
If I write
value whose (name of it is "ImagePath") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cyserver" of native registry
"C:\Program Files\Palo Alto Networks\Traps\cyserver.exe"%00
which is the value I want to receive (it has quotes around it, and ends with a null character)
But if I write
value whose (name of it is "ImagePath") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cyserver" of native registry = "%22C:\Program Files\Palo Alto Networks\Traps\cyserver.exe%22%00"
I get back
False. How should I change my relevance to check if the quotes exist, as well as the null character?
I thought about checking the hex key value instead, but I’m not sure how to do that:
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\ 6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,50,00,61,00,6c,00,6f,00,20,\ 00,41,00,6c,00,74,00,6f,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,\ 73,00,5c,00,54,00,72,00,61,00,70,00,73,00,5c,00,63,00,79,00,73,00,65,00,72,\ 00,76,00,65,00,72,00,2e,00,65,00,78,00,65,00,22,00,00,00