Tags

, , , , , ,

Hi Everyone,

In my previous blog I talked about another VA scan : Disable HTTP OPTIONS. Here is another critical issue which was highlighted during the recent vulnerability assessment scan on my Dynamics servers : Windows Unquoted Search Path.

 

What is Windows Unquoted Search Path ?

Basically it is the path to an executable file under local Services that are unquoted and contain spaces. This can easily be exploited by placing a malicious file in between the path. This would run when the services starts as the services would be starting with the SYSTEM privilege.

 

In Windows there are 3 locations to look for the file path at:

  • HKLM\System\CurrentControlSet\Services
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
  • HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

 

For Dynamics 365, notice the service path for:

  • MSCRM Monitoring Service – Image Path key is Quoted
  • MSCRM Unzip Service – Image Path key is Quoted
  • MSCRM VSS Writer Service – Image Path key is not Quoted
  • Microsoft Help Viewer – Uninstall String is not Quoted

 

MSCRM services can be found at : HKLM\System\CurrentControlSet\Services\MSCRM…

VSSwriter_before

 

Microsoft Help Viewer can be found at : HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\

MShelp_before

 

How to fix this unquoted paths?

The simplest way would be to update the registry settings directly, which is exactly what I did to fix these two paths in my dynamics servers.

Note: Kindly take a back up of the registry before you modify. This is to safeguard in case somethings goes wrong as updating a registry incorrectly may have serious impact on the system. 

 

After updating my registry settings for both paths:

  • MSCRM VSS Writer Service – Image Path key is Quoted
  • Microsoft Help Viewer – Uninstall String is Quoted

VSSwriter_after

MShelp_after

 

The same has been explained in much detail with better examples here, it’s worth a reading. For other cases where this needs to be fixed on large scale with multiple systems involved, it would be tough to change the registry manually one by one. Kindly follow this blog where the steps to run scripts are explained in detail or run this Powershell script directly.

 

Hope this would be helpful to someone.

Thanks ! 😀