Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Subscribers 12 subscribers
  • Views 6807 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unquoted Path Vulnerability - please fix ASAP

lukg

C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe /service -  this service has an unquoted path.

Please fix it ASAP.



This thread was automatically locked due to age.

Top Replies

  • +1 verified

    This is the reply from Sophos support:

    "This is known issue to Sophos and expected to be resolved in upcoming updates.
    You can change registry key and set "" manually after disabling Tamper Protection"

    Jump to answer
Parents
  • 0

    Hello lukg,

    just curious, which hmpalert.exe, Intercept X, and OS versions? I'm using it with the on-premise SESC and as far as I can see the paths are correctly quoted. 

    Christian

  • 0 in reply to QC

    We are using Sophos Endpont Advanced 10.8.10.3 and Sophos Intercept X 2.0.20

  • 0 in reply to lukg

    The HMPA component's installer was recently updated.  I can only think this was introduced at that point as it wasn't always an issue as QC mentions.  The EDR product even has a query for this named "Unquoted paths in the service registry keys":

    Description:

    Lists unquoted paths in the service registry keys. Unquoted paths allow an adversary to place an application in a higher-level directory so that Windows finds that application instead of the intended one. (MITRE category T1034)

    Created by Sophos


    SELECT
    r.path,
    r.data
    FROM registry r
    WHERE
    r.path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%\ImagePath'
    -- Check for data that looks like a path, does not start with a quote and contains a space
    -- Note: If the data has a parameter with a . in it will be incorrectly matched
    AND r.data like '%:\%'
    AND r.data not like '"%'
    AND rtrim(r.data, replace(r.data, '.', '')) LIKE '% %'

    I assume it will be fixed at the first opportunity.

Reply
  • 0 in reply to lukg

    The HMPA component's installer was recently updated.  I can only think this was introduced at that point as it wasn't always an issue as QC mentions.  The EDR product even has a query for this named "Unquoted paths in the service registry keys":

    Description:

    Lists unquoted paths in the service registry keys. Unquoted paths allow an adversary to place an application in a higher-level directory so that Windows finds that application instead of the intended one. (MITRE category T1034)

    Created by Sophos


    SELECT
    r.path,
    r.data
    FROM registry r
    WHERE
    r.path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%\ImagePath'
    -- Check for data that looks like a path, does not start with a quote and contains a space
    -- Note: If the data has a parameter with a . in it will be incorrectly matched
    AND r.data like '%:\%'
    AND r.data not like '"%'
    AND rtrim(r.data, replace(r.data, '.', '')) LIKE '% %'

    I assume it will be fixed at the first opportunity.

Children
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner