Microsoft WslService Unquoted Service Path Vulnerability

Author

Uriel Kosayev
Cybersecurity researcher and red teamer who lives both on the offensive and defensive fronts. The author of the “Antivirus Bypass Techniques” book, expert in malware research, reverse engineering, penetration testing, digital forensics, and incident response

Microsoft WslService Unquoted Service Path

By Uriel Kosayev

Introduction

WslService is a deployed service on Windows machines with the WSL (Windows Subsystem for Linux) installed.

An attacker can exploit this vulnerability during the post-exploitation phase to achieve code execution, privilege escalation, and persistence,

by using the technique of implanting an arbitrary unsigned executable which is executed by a signed service that runs with the NT AUTHORITY\SYSTEM privileges on the victim machine.

Gain Insider Knowledge

Subscribe to updates from the TrainSec trainers

The Vulnerability

Service in the Windows operating system is susceptible to “Unquoted Service Path” vulnerability if the executable path is not wrapped with quotation marks. In this case, the “WslService” Windows service is executed with the “CreateProcessAsUserW” Windows API function as can be seen below:

image1

The “CreateProcessAsUserW” Windows API function receives several parameters such as the “lpApplicationName” parameter that has a value of the module/file name or the full path to the module/file, and in this case, with no quotation marks which leads to this vulnerability.

To exploit such vulnerability, an attacker needs to drop a file that will be executed after a computer or service is restarted, either through an administrative account or by abusing a service path followed by an insufficient permission so that any weak user with a “W” (write) permission, for instance, can write to this path without the need of an administrative account. Below you can see Microsoft’s explanation of the “lpApplicationName” parameter:

image3

And here below you can see that when the “WslService” is executed, it’s running under the context of NT AUTHORITY\SYSTEM:

image2

Proof of Concept & Reproduction Steps

  • Service enumeration on n endpoint where WSL is installed:
image5
  • Compile the following Persistence PoC code:

#include <Windows.h>

void main()

{

    system("net user weakuser /add");

    system("net localgroup Administrators weakuser /add");

}

  • Put the compiled PE-executable in the C:\ drive named Program.exe:
image4
  • Restart the computer and execute the following command to validate that a user named “weakuser” is created and assigned under the “Administrators” group.
blue depth

About the author

Uriel Kosayev
Cybersecurity researcher and red teamer who lives both on the offensive and defensive fronts. The author of the “Antivirus Bypass Techniques” book, expert in malware research, reverse engineering, penetration testing, digital forensics, and incident response
All corses and publications

Useful Resources

Join our Discord community
Pavel’s GitHub
Pavel’s Books
Uriel’s GitHub
Antivirus Bypass Techniques Book

Learning Paths

Windows Master Developer
Windows Internals Master
Windows Security Researcher
Hardware Hacking Expert

Let's Connect

Contact Us

@2024 TrainSec. All rights reserved. Terms of Use | Privacy Policy

Black Friday & Cyber Monday Sale Started!

For a limited time, enjoy 25% off ALL available courses for the next month. Whether you’re looking to sharpen your skills or explore new areas of cybersecurity, now’s the perfect time to invest in your growth.

Use code BFRIDAY24 at checkout to claim your discount.

*Excluding bundles and monthly plans.  
Go to course library