Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 17 subscribers
  • Views 7799 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unquoted Path Vulnerability - please fix ASAP

lukg

C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe /service -  this service has an unquoted path.

Please fix it ASAP.



This thread was automatically locked due to age.
Parents
  • 0

    Hello lukg,

    just curious, which hmpalert.exe, Intercept X, and OS versions? I'm using it with the on-premise SESC and as far as I can see the paths are correctly quoted. 

    Christian

  • 0 in reply to QC

    We are using Sophos Endpont Advanced 10.8.10.3 and Sophos Intercept X 2.0.20

  • 0 in reply to lukg

    The HMPA component's installer was recently updated.  I can only think this was introduced at that point as it wasn't always an issue as QC mentions.  The EDR product even has a query for this named "Unquoted paths in the service registry keys":

    Description:

    Lists unquoted paths in the service registry keys. Unquoted paths allow an adversary to place an application in a higher-level directory so that Windows finds that application instead of the intended one. (MITRE category T1034)

    Created by Sophos


    SELECT
    r.path,
    r.data
    FROM registry r
    WHERE
    r.path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%\ImagePath'
    -- Check for data that looks like a path, does not start with a quote and contains a space
    -- Note: If the data has a parameter with a . in it will be incorrectly matched
    AND r.data like '%:\%'
    AND r.data not like '"%'
    AND rtrim(r.data, replace(r.data, '.', '')) LIKE '% %'

    I assume it will be fixed at the first opportunity.

Reply
  • 0 in reply to lukg

    The HMPA component's installer was recently updated.  I can only think this was introduced at that point as it wasn't always an issue as QC mentions.  The EDR product even has a query for this named "Unquoted paths in the service registry keys":

    Description:

    Lists unquoted paths in the service registry keys. Unquoted paths allow an adversary to place an application in a higher-level directory so that Windows finds that application instead of the intended one. (MITRE category T1034)

    Created by Sophos


    SELECT
    r.path,
    r.data
    FROM registry r
    WHERE
    r.path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%\ImagePath'
    -- Check for data that looks like a path, does not start with a quote and contains a space
    -- Note: If the data has a parameter with a . in it will be incorrectly matched
    AND r.data like '%:\%'
    AND r.data not like '"%'
    AND rtrim(r.data, replace(r.data, '.', '')) LIKE '% %'

    I assume it will be fixed at the first opportunity.

Children
Unfiltered HTML