Bonjour Service 'mDNSResponder.exe' - Unquoted Service Path Privilege Escalation

Exploit Author: bios Analysis Author: www.bubbleslearn.ir Category: Local Language: Shell Published Date: 2024-07-16

# Exploit Title: Bonjour Service - 'mDNSResponder.exe'  Unquoted Service
Path
# Discovery by: bios
# Discovery Date: 2024-15-07
# Vendor Homepage: https://developer.apple.com/bonjour/
# Tested Version: 3,0,0,10
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Home

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Bonjour Service
           Bonjour Service
C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe
                                                    Auto

C:\>systeminfo

Host Name:                 DESKTOP-HFBJOBG
OS Name:                   Microsoft Windows 10 Home
OS Version:                10.0.19045 N/A Build 19045

PS C:\Program Files\Blizzard\Bonjour Service> powershell -command
"(Get-Command .\mDNSResponder.exe).FileVersionInfo.FileVersion"
>>
3,0,0,10

#Exploit:

There is an Unquoted Service Path in Bonjour Services (mDNSResponder.exe) .
This may allow an authorized local user to insert arbitrary code into the
unquoted service path and escalate privileges.

Bonjour Service 'mDNSResponder.exe' — Unquoted Service Path Privilege Escalation

The Bonjour service (mDNSResponder.exe) installed by some Apple and third‑party packages can be vulnerable to an unquoted service path condition when the ImagePath contains spaces and is not wrapped in quotes. This article explains the issue, demonstrates safe detection techniques, discusses impact, and presents mitigation and hardening guidance for administrators and security teams.

What is an unquoted service path?

An unquoted service path occurs when a Windows service's executable path contains one or more space characters and the configured ImagePath (binary path) is not enclosed in double quotes. Windows may interpret the path by splitting on spaces, searching for executables in intermediate folders. If a lower‑privileged local user can write to one of those intermediate folders, they may place a malicious executable that will be started by the service on the next service start, potentially resulting in privilege escalation.

Why Bonjour / mDNSResponder can be affected

Many installers place Bonjour under directories containing spaces, for example:

Service	Typical ImagePath
Bonjour Service (mDNSResponder)	C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe

If that ImagePath is stored without surrounding quotes, Windows may treat C:\Program as a potential executable location instead of the intended path, creating a potential attack surface when directory write permissions are not locked down.

Discovery and verification

Administrators can discover unquoted service paths using native tools. The following examples are defensive: they show how to enumerate services whose paths are not quoted so you can remediate them.

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Explanation: This WMIC pipeline lists services configured to start automatically, filters out standard Windows system binaries (paths under C:\Windows\), and removes already quoted paths. The output highlights candidates like Bonjour whose path includes spaces and lacks quotes.

A more robust PowerShell one‑liner that lists unquoted ImagePath values for installed services:

Get-WmiObject Win32_Service |
  Where-Object { $_.StartMode -eq 'Auto' -and $_.PathName -match '\s' -and $_.PathName -notmatch '^".*"$' } |
  Select-Object Name, DisplayName, PathName, StartMode

Explanation: This PowerShell command queries Win32_Service, filters services set to Auto start where PathName contains a space and the path is not enclosed in quotes, then selects useful fields for review. Use this defensively to build a list of services requiring remediation.

Example verified information

Attribute	Value
Service	Bonjour Service (mDNSResponder)
ImagePath	C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe
Tested Version	3.0.0.10
Tested On	Microsoft Windows 10 Home (build 19045)
Discovery	Unquoted Service Path

Risk and impact

Privilege escalation: If an attacker with local write access to an intermediate directory places a malicious binary matching an early path component, the service may execute it with the service account's privileges (often SYSTEM).
Local attack only: The issue requires local access to the file system; it is not a remote code execution vulnerability by itself.
Depends on ACLs: Exploitation relies on writable permissions on the intermediate directories. Properly locked directories significantly reduce risk.

Responsible disclosure and affected versions

The condition has been observed in Bonjour Service versions such as 3.0.0.10 on Windows 10. Check vendor advisories and software update notes at the vendor site (for Apple/Bonjour) or the distributing vendor (e.g., Blizzard) for fixes or updated installers that quote service paths.

Detection and monitoring

Make unquoted service path checks part of routine host hardening scans. Integrate the PowerShell query above into configuration management or endpoint detection tooling and alert on any unquoted ImagePath values for auto‑start services.

# Example: Save a simple list of unquoted services to a CSV for triage
Get-WmiObject Win32_Service |
  Where-Object { $_.PathName -match '\s' -and $_.PathName -notmatch '^".*"$' } |
  Select-Object Name, DisplayName, PathName, StartMode |
  Export-Csv -Path .\UnquotedServices.csv -NoTypeInformation

Explanation: This script exports detected unquoted service paths to a CSV file so administrators can review and prioritize remediation across hosts.

Mitigation and remediation

Primary mitigations:

Quote the ImagePath so Windows parses the full path correctly.
Ensure intermediate directories have strict ACLs (no untrusted write permissions).
Apply vendor updates that correct the installer or service configuration.
Run services with the least required privileges and avoid using highly privileged accounts where possible.

Remediation can be done safely using administrative tools. Example: update the service binPath with sc.exe to include quotes.

sc config "Bonjour Service" binPath= "\"C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe\""

Explanation: This command updates the binary path for the named service and encloses it in double quotes so Windows will interpret the entire path correctly. The backslashes in the example are shown for clarity in some shells; when run directly in cmd.exe, you can use: sc config "Bonjour Service" binPath= "\"C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe\""

Alternative registry method (administrators only): edit the ImagePath value under HKLM\SYSTEM\CurrentControlSet\Services\ to include quotes. Always back up the registry and service configurations before making changes.

Validation after remediation

sc qc "Bonjour Service"
# or using PowerShell
Get-WmiObject Win32_Service -Filter "Name='Bonjour Service'" | Select-Object Name, PathName

Explanation: These commands verify the configured binary path for the service is now quoted and matches the intended executable location.

Hardening recommendations

Include unquoted service path checks in baseline system hardening scans.
Harden Program Files and other application directories to restrict write access to Administrators and System only.
Require vendors to use quoted ImagePath values in installers and service manifests.
Monitor software inventory for known installers that historically created unquoted paths and update or replace them.
Use application whitelisting to block unauthorized executables from running even if placed in attractive locations.

Administrator checklist

Scan all hosts for unquoted service paths weekly.
Apply vendor updates for Bonjour and related third‑party software.
Quote offending service ImagePath entries or reinstall using an updated installer.
Audit directory ACLs for write permissions for non‑privileged users.
Document changes and revalidate service behavior (start/stop) after remediation.

Appendix: safe detection scripts

# Full PowerShell function to find unquoted service paths and optionally remediate
function Get-UnquotedServicePaths {
  param([switch]$Remediate)
  $services = Get-WmiObject Win32_Service |
    Where-Object { $_.PathName -match '\s' -and $_.PathName -notmatch '^".*"$' }

  foreach ($s in $services) {
    [PSCustomObject]@{
      Name       = $s.Name
      DisplayName= $s.DisplayName
      Path       = $s.PathName
      StartMode  = $s.StartMode
    }
    if ($Remediate) {
      Write-Verbose "Remediating $($s.Name)"
      $quoted = '"' + $s.PathName.Trim() + '"'
      sc.exe config $s.Name binPath= $quoted | Out-Null
    }
  }
}

Explanation: This function enumerates services whose PathName contains spaces and is not quoted. If invoked with -Remediate (requires admin), it attempts to set the binPath to the quoted value using sc.exe. Use caution: remediation will modify service configuration and requires testing in a controlled environment before wide deployment.

Final notes

Unquoted service paths are a common and easily detectable misconfiguration that can lead to local privilege escalation if combined with permissive filesystem ACLs. For Bonjour and other vendor services, the pragmatic approach is: detect, quote the path, tighten ACLs, and apply vendor updates. Regular scanning and automation will reduce the window of exposure.