When using ActiveSetup to a Path with Spaces PADT does not add Quotes like other Windows Preconfigured ActiveSetups
When quotes are not used on paths with spaces an attacker could run a different program in its place as discribed in CWE-428 (CWE - CWE-428: Unquoted Search Path or Element (4.8))
This vulnerability can be easily fixed by making the following changes in the Set-ActiveSetup Function
## Define Active Setup StubPath according to file extension of $StubExePath
Switch ($StubExeExt) {
'.exe' {
[string]$CUStubExePath = "$StubExePath"
[string]$CUArguments = $Arguments
## ADDS QUOTES TO ALL PATHS
[string]$StubPath = "`"$CUStubExePath`""
}
It can also be added to the $CUStubExePath of the other Switches but since the paths to powershell.exe/cscript.exe/cmd.exe do not contain spaces it is not strictly necessary
'.js' {
[string]$CUStubExePath = "$envWinDir\system32\cscript.exe"
[string]$CUArguments = "//nologo `"$StubExePath`""
[string]$StubPath = "`"$CUStubExePath`" $CUArguments"
}
'.vbs' {
[string]$CUStubExePath = "$envWinDir\system32\cscript.exe"
[string]$CUArguments = "//nologo `"$StubExePath`""
[string]$StubPath = "`"$CUStubExePath`" $CUArguments"
}
'.cmd' {
[string]$CUStubExePath = "$envWinDir\system32\CMD.exe"
[string]$CUArguments = "/C `"$StubExePath`""
[string]$StubPath = "`"$CUStubExePath`" $CUArguments"
}
'.ps1' {
[string]$CUStubExePath = "$PSHOME\powershell.exe"
[string]$CUArguments = "-ExecutionPolicy Bypass -NoProfile -NoLogo -WindowStyle Hidden -Command `"& { & `\`"$StubExePath`\`"}`""
[string]$StubPath = "`"$CUStubExePath`" $CUArguments"
}
Alternatively a new detection/function should be added to add quotes only on paths with spaces and ommit them if no spaces are detected
Possibly other places in PADT are affected as well and dont have quoted paths with spaces