Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path

Exploit Author: Saud Alenazi Analysis Author: www.bubbleslearn.ir Category: Local Language: Shell Published Date: 2024-04-02 
# Exploit Title: Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path
# Date: 2024-04-2
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.rapid7.com/
# Software Link: https://www.rapid7.com/products/nexpose/
# Version: 6.6.240
# Tested: Windows 10 x64

# Step to discover Unquoted Service Path:

C:\Users\saudh>wmic service where 'name like "%nexposeconsole%"' get name, displayname, pathname, startmode, startname

DisplayName               Name            PathName                                                 StartMode  StartName 
Nexpose Security Console  nexposeconsole  "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe"  Auto       LocalSystem

# Service info:

C:\Users\saudh>sc qc nexposeconsole
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: nexposeconsole
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Nexpose Security Console
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.


Rapid7 Nexpose — “nexposeconsole” Unquoted Service Path: analysis, detection, and mitigation

An unquoted service path is a common Windows misconfiguration that can allow a local, non‑privileged user to achieve privilege escalation by tricking a service into executing an unintended binary. This article explains the issue in the context of Rapid7 Nexpose (service name: nexposeconsole), how to detect whether a system is affected, safe remediation options, and hardening recommendations to reduce risk.

What is an unquoted service path?

Windows services are configured with a binary path (ImagePath) stored in the service configuration. If a path contains spaces and is not enclosed in quotes, Windows may interpret the path by splitting it at the spaces and attempt to locate an executable at intermediate locations. For example, if ImagePath is set to C:\Program Files\My App\bin\app.exe (without quotes), Windows might try to run:

  • C:\Program.exe
  • C:\Program Files\My.exe
  • C:\Program Files\My App\bin\app.exe

If a writable directory exists earlier in that sequence and an attacker can place an executable there, they could get it executed by the service — which runs with the service account privileges (often LocalSystem).

Why this matters for Nexpose (nexposeconsole)

If the Nexpose Security Console service (nexposeconsole) were configured with an unquoted ImagePath and the service runs as LocalSystem, a local user could potentially abuse that misconfiguration to run code with elevated privileges. Even when the service binary itself is legitimate, the presence of an unquoted path and writeable parent directories creates an unnecessary attack surface.

Item Notes
Service name nexposeconsole (Nexpose Security Console)
Affected versions Potentially any version with an unquoted ImagePath; verify product release notes and Rapid7 advisories for version-specific details
Worst-case impact Local privilege escalation to the service account (commonly LocalSystem)

How to detect unquoted service paths (safe checks)

Perform detection as an administrator. These checks are defensive and identify services whose ImagePath contains spaces but lacks surrounding quotes.

Get-WmiObject win32_service |
  Where-Object {
    $_.PathName -and
    $_.PathName -match ' ' -and
    $_.PathName -notmatch '^".*"$'
  } |
  Select-Object Name, DisplayName, PathName, StartMode, StartName

Explanation: This PowerShell pipeline enumerates services, filters for those that have a PathName containing a space and that are not enclosed in quotes, and displays key fields. Use this to discover potential unquoted service paths across a host.

sc qc nexposeconsole

Explanation: The sc qc command queries the configuration for the nexposeconsole service and shows the BINARY_PATH_NAME. Review the PathName value: it should be properly quoted if it contains spaces. Example safe output (quoted path):

BINARY_PATH_NAME : "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe"

If the value appears without surrounding quotes and contains spaces, treat it as a finding.

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\nexposeconsole' -Name ImagePath

Explanation: This reads the ImagePath from the Windows Service registry key for the service. It is a definitive place to inspect the configured path.

Safe remediation and mitigation steps

When you find an unquoted service path, take a cautious, documented approach. Always back up the registry and test changes in a non‑production environment where possible. Recommended mitigations include:

  • Quote the ImagePath — ensure the full path is enclosed in double quotes. This prevents Windows from interpreting intermediate path segments. Example (run as administrator):
sc config "nexposeconsole" binPath= "\"C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe\"" start= auto

Explanation: This sc config example sets the service's binary path with explicit quotes. The backslashes and quoting in the command ensure the service receives a properly quoted ImagePath. Note: editing a running service can disrupt operation; schedule a maintenance window and restart the service after making changes.

  • Harden filesystem permissions — ensure that the folder hierarchy containing the service binary (and parent folders such as C:\Program Files\rapid7) is writable only by administrators and service owners. Remove write permissions for low‑privilege users/groups.
icacls "C:\Program Files\rapid7" /remove:g "Users"

Explanation: This example removes granted permissions for the built-in Users group on the Rapid7 installation folder. Apply such ACL changes carefully — validate permission requirements for legitimate processes and perform testing. Use principle of least privilege for folder ACLs.

  • Run services with least privilege — avoid running services as LocalSystem when not necessary. Use a managed service account or a low‑privilege service account with only required rights. Changing the service account requires testing and credentials management.
  • Apply application whitelisting — Windows Defender Application Control, AppLocker, or Software Restriction Policies can prevent untrusted binaries from running even if written into a folder.
  • Update the product — check Rapid7 release notes and apply any vendor-supplied fixes or hardening recommendations. Contact Rapid7 support if you suspect a packaging/configuration issue in a product distribution.
  • Audit and alert — monitor for suspicious file creation in service directories and log events around service starts. SIEM rules and EDR can detect attempts to write executables to directories that should not change.

Operational recommendations and best practices

  • Document any change and schedule downtime where needed. Incorrectly editing service configuration can prevent the service from starting.
  • Prefer installing server applications under directories without spaces (if supported) or ensure image paths are quoted by installer. Modern installers should handle quoting but validate post‑install.
  • Use automated scanning across your estate (PowerShell or enterprise management tools) to find unquoted service paths and generate prioritized remediation tickets.
  • Where local users must exist on hosts (e.g., service desks, test users), restrict local accounts and follow least privilege policies to reduce attack surface.

Example enterprise detection workflow

1) Run the PowerShell detection script across endpoints via your management system (SCCM, Intune, Ansible).

2) Triage results: identify services running as LocalSystem, those in writable directories, and those tied to third‑party apps.

3) Apply fixes (quote ImagePath, harden ACLs, change service accounts) in test groups, then roll out to production with monitoring for service failures.

When to contact Rapid7 and additional notes

If you find an unquoted path shipped by Rapid7 installers (i.e., a default configuration issue), report it to Rapid7 support or your vendor contact. Provide affected version numbers, reproduction steps, and your remediation plan. Vendor patches or updated installers may already exist — check the vendor advisory page and release notes.

Summary: an unquoted service path is a straightforward but serious misconfiguration. Detecting it is simple with defensive PowerShell or sc/registry inspection; remediation consists of quoting the ImagePath, hardening ACLs, limiting service privileges, and applying application control. Follow change control and test before applying fixes in production.