Service Path Vulnerability- automated fixlet and report ideas

(imported topic written by jfschafer)

First let me explain what the issue is as it will make more sense that way and possibly help some of you out in the process.

There is a little known vulnerability that affects tons of software products, to include common security software (VPN, Antivirus) as well as other programs like Nvidia services, printer services etc. The vulnerability deals with the fact that many vendors don’t put " " around their service names that contain paths with spaces. Doesn’t seem like a big deal but if you don’t have a quote in the path, malicious files of the hackers choice can be inserted by various methods (drive by downloads and others in any of the paths that the services has with no spaces.

I’m summarizing the following article which is an excellent write-up by the author.

Basically it is related to the path binary in services that are unquoted and contain spaces. If you open your SERVICES control panel utility in your Windows OS and do a right-click properties of a service in your windows services, look at the path to executable. If there’s a space in the path (ie c:\Program Files . … . ) but no quotes before and after the path, that service is vulnerable to a pretty serious vulnerability that can easily be exploited, especially with all the capabilities of new malware being written today. It’s really a matter of just dropping a file in various paths and the rest is history. If you look at the path to executable and there’s no spaces and no quotes, you’re okay.

If we look at a typical service path with spaces you will see some paths are quoted -
"c:\program files (x86"
which is the correct way and how it should be.

You will come across many from major vendors who do not enclose the path within quotes -
c:\program files (x86)\

  • this is bad. Nvidia, Juniper, Brother, Symantec and many many others all have products today that are installed on millions of systems with this problem. If you want to see which services on your machine that are set to start on bootup that have this issue, paste the following command in your command prompt.

wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\” |findstr /i /v “”"

Any output is services that are affected. Now you understand why I want to figure out a way to not only report on (ie an analysis with this command but produce custom fixes with Bigfix for each app to automate fixing in my organization).

So I’m thinking create an analysis that uses that WMIC command above to target the services that are vulnerable. Would be nice to see a web report listing the services in one column and the number of machines affected in the right. Then begin writing a fixlet that imports a custom script (batch file maybe?) to fix each app automatically as they become relevant. Obviously you’ll have to write the scripts manually but using the analysis above it could allow you to prioritize based on the # of systems affected.

If any of you have an example script that renames a vulnerable path without the quotes to a path with quotes, that would be great. Also if any of you have a custom report idea or analysis that can summeraize systems and vulnerable services on the fly using output from the wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\” |findstr /i /v “”" command, that would be really helpful to.

If you’re like me, you probably didn’t realize how potentially serious this vulnerability really is. Amazing really that this is so prevalent but not talked about much. Doesn’t seem good for home users as I can’t imagine a typical non-technical home user trying to fix this much less know about it.

Too bad Microsoft doesn’t just make a utility to fix it for you or automatically fixes if a program attempts to install a service without quotes before an after. That would be the silver bullet really.

(imported comment written by jfschafer)

I found this site blog posting that deals with exactly what I am asking. Combined with Bigfix, I’m thinking we could create something pretty automated

(imported comment written by PaulO.)

I’ve been working on this vulnerability for a couple days now and what I settled on due to time constraints (audit season) is as follows.

  1. Obtained Nessus vulnerability (plugin output column) report and using excel I manged to narrow down the biggest offender service paths.

  2. Used the following relevance query for a couple of service paths to verify standard ouput. For this example Firefox’s Maintenance service is the example. The output as a string comes out with %00 due to how it’s stored in the registry.

q: (value “ImagePath” of it as string) of key “HKLM\SYSTEM\CurrentControlSet\services\MozillaMaintenance” of registry

A: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe%00

T: 0.287 ms

  1. Next I exported the registry key for each service with the changes manually added. I removed the extra values that did not need to be updated and copied a portion of the file into action script.

  2. I used 1 relevance check per service and added an additional relevance check within the action script for each service that handles building a client side registry file and importing it thereby overwriting the necessary key.

This method is working pretty well for me so far. I know I can improve it or find a better approach but for now it is serving my time requirements. Simply tack on more relevance checks and additional actions script blocks as needed. Obviously you can make this into separate fixlets and then combining it into a baseline for better reporting but it’s not necessary for me. I’m already buried in reports.

Example Relevance:

exists key whose (value “ImagePath” of it as string = “C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe%00”) of key “HKLM\SYSTEM\CurrentControlSet\services” of registry

Example ActionScript:

// FireFox on x64

if {exists key whose (value “ImagePath” of it as string = “C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe%00”) of key “HKLM\SYSTEM\CurrentControlSet\services” of registry}
delete __appendfile
delete ServiceFix.reg
appendfile Windows Registry Editor Version 5.00
appendfile
appendfile [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MozillaMaintenance]
appendfile “ImagePath”=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,
appendfile 6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,20,00,28,00,78,00,38,00,36,00,29,
appendfile 00,5c,00,4d,00,6f,00,7a,00,69,00,6c,00,6c,00,61,00,20,00,4d,00,61,00,69,00,
appendfile 6e,00,74,00,65,00,6e,00,61,00,6e,00,63,00,65,00,20,00,53,00,65,00,72,00,76,
appendfile 00,69,00,63,00,65,00,5c,00,6d,00,61,00,69,00,6e,00,74,00,65,00,6e,00,61,00,
appendfile 6e,00,63,00,65,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,2e,00,65,00,78,
appendfile 00,65,00,22,00,00,00
move __appendfile ServiceFix.reg
wait regedit /s ServiceFix.reg
delete ServiceFix.reg
endif