CWE‐428: Unquoted Search Path or Element ‐ Windows unquoted service path vulnerability - ToddMaxey/Technical-Documentation GitHub Wiki

The unquoted service path issue, identified as CWE-428, involves a failure to properly quote the path of an executable in a Windows service. This oversight can potentially be exploited by placing malicious files in certain directories, leading to inadvertent execution of these files. While not assigned a specific CVE by Microsoft, it represents a significant security concern rooted in installation or configuration practices. It's crucial for administrators to conduct system audits and rectify any unquoted service paths. This problem emphasizes the importance of adhering to security best practices in system configuration. For a detailed understanding of CWE-428, please refer to CWE-428.

# PowerShell script to check and fix unquoted ImagePath in service registry keys 

  

# Get all service items 

$Service_Items = Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Services' | ForEach-Object { Get-ItemProperty $_.PsPath } 

  

# Function to check and potentially fix the ImagePath 

function Check_And_Fix_ImagePath { 

    param ($Image_Path) 

  

    # Function to quote a path if necessary 

    function Quote_Path_IfNeeded { 

        param ($Path) 

        if ($Path -and $Path -notmatch '^".*"$' -and $Path.Contains(' ')) { 

            return "`"$Path`"" 

        } 

        return $Path 

    } 

  

    $Image_Path = Quote_Path_IfNeeded -Path $Image_Path 

  

    # Further processing for paths with arguments 

    if ($Image_Path -match '\s') { 

        $Split_Path = $Image_Path -split ' -| /', 2 

        $Image_Path = Quote_Path_IfNeeded -Path $Split_Path[0] 

        if ($Split_Path.Length -gt 1) { $Image_Path += ' ' + $Split_Path[1] } 

    } 

     

    return $Image_Path 

} 

  

# Iterate through the keys and check for Unquoted ImagePath's 

foreach ($Service_Item in $Service_Items) { 

    if ($Service_Item.ImagePath) { 

        $Fixed_Image_Path = Check_And_Fix_ImagePath -Image_Path $Service_Item.ImagePath 

        if ($Fixed_Image_Path -ne $Service_Item.ImagePath) { 

            $Key_Path = $Service_Item.PSPath -replace 'Microsoft.PowerShell.Core\\Registry::', 'HKLM:' 

            Set-ItemProperty -Path $Key_Path -Name 'ImagePath' -Value $Fixed_Image_Path 

        } 

    } 

}