(imported topic written by jfschafer)
First let me explain what the issue is as it will make more sense that way and possibly help some of you out in the process.
There is a little known vulnerability that affects tons of software products, to include common security software (VPN, Antivirus) as well as other programs like Nvidia services, printer services etc. The vulnerability deals with the fact that many vendors don’t put " " around their service names that contain paths with spaces. Doesn’t seem like a big deal but if you don’t have a quote in the path, malicious files of the hackers choice can be inserted by various methods (drive by downloads and others in any of the paths that the services has with no spaces.
I’m summarizing the following article which is an excellent write-up by the author.
Basically it is related to the path binary in services that are unquoted and contain spaces. If you open your SERVICES control panel utility in your Windows OS and do a right-click properties of a service in your windows services, look at the path to executable. If there’s a space in the path (ie c:\Program Files . … . ) but no quotes before and after the path, that service is vulnerable to a pretty serious vulnerability that can easily be exploited, especially with all the capabilities of new malware being written today. It’s really a matter of just dropping a file in various paths and the rest is history. If you look at the path to executable and there’s no spaces and no quotes, you’re okay.
If we look at a typical service path with spaces you will see some paths are quoted -
"c:\program files (x86"
which is the correct way and how it should be.
You will come across many from major vendors who do not enclose the path within quotes -
c:\program files (x86)\
- this is bad. Nvidia, Juniper, Brother, Symantec and many many others all have products today that are installed on millions of systems with this problem. If you want to see which services on your machine that are set to start on bootup that have this issue, paste the following command in your command prompt.
wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\” |findstr /i /v “”"
Any output is services that are affected. Now you understand why I want to figure out a way to not only report on (ie an analysis with this command but produce custom fixes with Bigfix for each app to automate fixing in my organization).
So I’m thinking create an analysis that uses that WMIC command above to target the services that are vulnerable. Would be nice to see a web report listing the services in one column and the number of machines affected in the right. Then begin writing a fixlet that imports a custom script (batch file maybe?) to fix each app automatically as they become relevant. Obviously you’ll have to write the scripts manually but using the analysis above it could allow you to prioritize based on the # of systems affected.
If any of you have an example script that renames a vulnerable path without the quotes to a path with quotes, that would be great. Also if any of you have a custom report idea or analysis that can summeraize systems and vulnerable services on the fly using output from the wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\” |findstr /i /v “”" command, that would be really helpful to.
If you’re like me, you probably didn’t realize how potentially serious this vulnerability really is. Amazing really that this is so prevalent but not talked about much. Doesn’t seem good for home users as I can’t imagine a typical non-technical home user trying to fix this much less know about it.
Too bad Microsoft doesn’t just make a utility to fix it for you or automatically fixes if a program attempts to install a service without quotes before an after. That would be the silver bullet really.