Exploiting Unquoted Service Paths For Fun and No Profit

exploitation cve windows

This kind of vulnerability is really old. However, vendors still fail to properly address this issue. This is just another example of exploiting this kind of vulnerability on Windows 10 with the most up-to-date ALFA AWUS036AC driver utility (version 1030.6). Note that the download link points to alfa.com but the driver utility itself says it’s developed by REALTEK.

The vulnerability

Upon installing the driver utility, two vulnerable services get installed. This can be checked using the following command:

C:\Users\ps>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Realtek DHCP Service | RTLDHCPService | C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RTLDHCP.exe

RealtekWlanU         | RealtekWlanU   | C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility\RtlService.exe

This means, that the service paths of both services, called Realtek DHCP Service and RealtekWlanU, contain spaces and are not quoted using ". Therefore, they are vulnerable to this kind of attack.

A quick C++ PoC that logs the username of the user that executes a certain .exe file looks like this:

char username[UNLEN+1];
DWORD username_len = UNLEN+1;
GetUserName(username, &username_len);

std::ofstream outfile;
outfile.open("C:\\Users\\Public\\userlog.txt", std::ios_base::app);
outfile << username << std::endl;

When executed as a regular user, the binary outputs ps, being a regular user account.

The Exploit

Both service paths share the common string C:\Program Files (x86)\REALTEK\USB Wireless LAN Utility. Note that the substring USB Wireless LAN Utility contains spaces, which is a part of the vulnerability. Exploiting this works by placing a malicious file called USB.exe into C:\Program Files (x86)\REALTEK, making the full path C:\Program Files (x86)\REALTEK\USB.exe. Please not that this can only be performed by administrators in this case. So this will get you a privilege ecscalation from Administrator to SYSTEM ¯\(ツ)/¯. The binary supplied by an attacker will be executed as SYSTEM upon restarting the system. This can be seen for both vulnerable services in the log file:


The cause

The string which specifies the service path needs to be quoted to prevent this, as seen in this example

Additional note

While quickly testing this for multiple driver utilities by REALTEK, all tested packages seemed to be “vulnerable”.


Command Injection in LaTeX Workshop

exploitation vulnerability

Haxxoring a Hisense Smart TV

exploitation reverse-engineering vulnerability

SROP Exploitation with radare2

r2 radare2 rop exploitation ctf