Under Review
over 1 year ago

Live Discover Query - Do all my services have quoted paths where needed?

  REVIEWED by Sophos

 To search for services on your computers which expose the computer to the classic Unquoted Service Path vulnerability, the following basic command could be run:

SELECT name, path FROM services WHERE path LIKE "% %" AND path LIKE "%.exe";

To break this down, the query is looking for services where the ImagePath value for the service has at least one space ("% %") AND the path ends in ".exe".

This would work as an example if the "Sophos Device Control Service" ImagePath value under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Device Control Service

had a value of:

C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sdcservice.exe

This would return that the "Sophos Device Control Service" service was vulnerable.

Of course, the ImagePath value for a service could also have a path where there are arguments to the service binary, for example, the Sophos Clean service ImagePath is:

"C:\Program Files (x86)\Sophos\Clean\SophosCleanM.exe" /service

If this was unquoted it wouldn't be returned with the above query as the string does not end in .exe, we need something that covers:

  • C:\1 2\3.exe
  • C:\1\2 3\4.exe
  • C:\1 2\3.exe /5
  • C:\1 2\3.exe -5

but does not return for example:

  • C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p

In which case a better query might be:

SELECT name, path FROM services WHERE path not LIKE '% %.exe"%' and path like '% %.exe%'

In this refined query, we are interested in finding paths where there is not a quote after the exe AND there is a space in the path before the exe.

I'm sure it could be honed further and osquery does support regex with regex_match as detailed here: https://osquery.readthedocs.io/en/stable/introduction/sql/ but this should cover the 99.9%.

Regards,
Jak