Kingo ROOT 1.5.8 - Unquoted Service Path

Exploiting Kingo ROOT 1.5.8: Unquoted Service Path Vulnerability Analysis

Security researchers have identified a critical vulnerability in Kingo ROOT 1.5.8.3353, a popular Android rooting tool for Windows. This flaw stems from an unquoted service path, a common yet dangerous misconfiguration in Windows service management. The exploit, discovered by Anish Feroz (ZEROXINN), enables privilege escalation and unauthorized code execution under the LocalSystem account, posing significant risks for users running the software.

Understanding the Unquoted Service Path Vulnerability

Windows services are designed to run in the background with elevated privileges. When a service's binary path is not enclosed in quotation marks, the system interprets the path as a sequence of arguments, allowing attackers to insert malicious executables at the first whitespace. For example, if the path is C:\Program Files\KingoSoft\bin\KingoSoftService.exe, a malicious file named Program placed in the C:\ directory could be executed instead of the intended binary.

This vulnerability is particularly dangerous because:

• Services run under LocalSystem privileges, granting full access to the system.
• Attackers can exploit this without requiring user interaction.
• It often goes unnoticed in software development due to oversight during installation.

Discovery and Verification

Using standard Windows administrative tools, the vulnerability was verified through the sc qc command:

C:\Users\Anish>sc qc KingoSoftService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: KingoSoftService
 TYPE : 110 WIN32_OWN_PROCESS (interactive)
 START_TYPE : 2 AUTO_START
 ERROR_CONTROL : 1 NORMAL
 BINARY_PATH_NAME : C:\Users\Usman\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe
 LOAD_ORDER_GROUP :
 TAG : 0
 DISPLAY_NAME : KingoSoftService
 DEPENDENCIES :
 SERVICE_START_NAME : LocalSystem

Analysis reveals that the binary path contains spaces and is not enclosed in quotes. The path is C:\Users\Usman\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe, where Kingo Root is a space-separated component. If an attacker places a malicious executable named Kingo in C:\Users\Usman\AppData\Local\Kingosoft, the service will attempt to run it instead of the intended binary.

Exploitation Scenario

Here’s a practical example of how an attacker could leverage this vulnerability:

# Step 1: Create a malicious executable named "Kingo.exe"
# Place it in the parent directory of the service binary path
C:\Users\Usman\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\Kingo.exe

# Step 2: Trigger service startup (e.g., via reboot or manual start)
sc start KingoSoftService

# Step 3: The system attempts to execute "Kingo.exe" instead of "KingoSoftService.exe"

Since the service runs as LocalSystem, the malicious executable gains full system privileges. The attacker can then:

• Establish persistent access via backdoors.
• Extract sensitive data.
• Install rootkits or malware.

Impact and Risk Assessment

Severity	CVSS Score	Exploitability	Impact
High	7.2 (CVSS v3.1)	Easy (no authentication required)	System compromise

This vulnerability is classified as high severity due to its ease of exploitation and the elevated privileges involved. It represents a prime example of a path injection attack, commonly found in poorly configured software installations.

Prevention and Mitigation

Developers and users must adopt strict security practices to prevent such vulnerabilities:

• Always quote service paths in registry configurations.
• Use \"C:\Path\To\Binary.exe\" instead of C:\Path\To\Binary.exe.
• Perform regular security audits of installed services using sc query or Get-WmiObject Win32_Service in PowerShell.
• Disable unnecessary services, especially those from third-party tools.

For users of Kingo ROOT: It is strongly advised to uninstall the software or update to a patched version. The vendor has not yet released a fix as of August 2023, leaving users exposed.

Expert Insight: Why This Matters

Unquoted service paths are a recurring theme in modern cybersecurity threats. They are frequently exploited in ransomware campaigns and supply-chain attacks. The fact that a widely used tool like Kingo ROOT is vulnerable underscores the importance of software supply chain security. Even legitimate tools can become attack vectors when misconfigured.

Security professionals should treat every service path as a potential attack surface. Automation tools like PowerShell scripts can scan for unquoted paths across systems:

# PowerShell script to detect unquoted service paths
Get-WmiObject Win32_Service | Where-Object { $_.PathName -notmatch '^\".*\"$' } | Select-Object Name, PathName

This script identifies all services with unquoted paths, enabling proactive remediation.

Conclusion

The Kingo ROOT 1.5.8.3353 unquoted service path vulnerability exemplifies how simple configuration errors can lead to catastrophic security breaches. While the exploit is straightforward, its implications are profound. Developers must prioritize secure service deployment, and users must remain vigilant about third-party software. In today’s threat landscape, even seemingly benign tools can become gateways to full system compromise.