MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path "MTSchedulerService"

Understanding the CVE-2023-36165 Vulnerability in MiniTool Partition Wizard ShadowMaker v.12.7

Security researchers have identified a critical vulnerability in MiniTool Partition Wizard ShadowMaker v.12.7, specifically related to an unquoted service path in the MTSchedulerService. This flaw, assigned the CVE identifier CVE-2023-36165, presents a significant risk for privilege escalation attacks on Windows systems, especially when exploited by malicious actors.

What Is an Unquoted Service Path?

When a Windows service is configured with a binary path that contains spaces but is not enclosed in quotation marks, it creates a vulnerability known as an unquoted service path. This occurs because Windows interprets the path as a sequence of executable names, where the first part (before the space) is treated as the executable, and subsequent parts are considered arguments.

For example, if the service path is C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe without quotes, Windows may attempt to execute C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe as if it were C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe—but in reality, it may attempt to run C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe as a standalone executable, potentially leading to unintended behavior.

Exploitation Mechanism: A Practical Example

Consider the following output from a system query using wmic:

C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
MTSchedulerService MTSchedulerService C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe Auto

This command filters services that start automatically and are not part of the core Windows system, revealing the vulnerable MTSchedulerService with a non-quoted path.

Further confirmation via sc qc:

C:\Users>sc qc MTSchedulerService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MTSchedulerService
 TYPE : 110 WIN32_OWN_PROCESS (interactive)
 START_TYPE : 2 AUTO_START
 ERROR_CONTROL : 1 NORMAL
 BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe
 LOAD_ORDER_GROUP :
 TAG : 0
 DISPLAY_NAME : MTSchedulerService
 DEPENDENCIES :
 SERVICE_START_NAME : LocalSystem

The BINARY_PATH_NAME entry confirms the absence of quotation marks around the path, making it susceptible to manipulation.

Attack Scenario: Privilege Escalation via Malicious DLL Injection

An attacker with low-level user privileges can exploit this vulnerability by placing a malicious DLL in a directory that is parsed before the actual service executable. For instance, if an attacker creates a file named Program.exe in C:\Program Files (x86)\MiniTool ShadowMaker\, Windows will attempt to load Program.exe as the primary executable—before even attempting to run the intended service.

Because MTSchedulerService runs under the LocalSystem account, any code executed through this exploit will inherit system-level privileges. This is a classic DLL hijacking attack vector.

Impact and Risk Assessment

Factor	Severity	Description
Exploitability	High	Minimal user interaction required; exploit can be automated.
Privilege Level	System	Service runs as LocalSystem, enabling full system control.
Attack Vector	Local	Requires local access to the system, but no additional authentication.
Remediation	Simple	Quoting the path resolves the issue; patching is straightforward.

Real-World Implications

This vulnerability has been observed in environments where users install third-party disk management tools like MiniTool Partition Wizard. While the software is legitimate and widely used, the lack of proper path quoting in service configuration introduces a security gap that attackers can leverage.

Attackers might use this flaw to:

• Deploy persistent malware under the guise of a legitimate service.
• Gain unrestricted access to system files, registry keys, and network resources.
• Evade detection by mimicking trusted system components.

How to Mitigate the Risk

Administrators and users should take immediate action to reduce exposure:

• Update the software to a version that includes the fix (e.g., v.12.8 or later).
• Verify service paths using wmic or sc query commands to identify unquoted paths.
• Manually edit the service configuration via sc config to quote the path:

sc config MTSchedulerService binPath= "\"C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe\""

After this change, the service will load correctly, and the attack vector is neutralized.

Expert Insight: Why This Flaw Is Common

Many software vendors, especially those with automated installation processes, fail to properly quote paths during service registration. This is often due to oversight or reliance on default installer templates that do not account for spaces in file paths. The MiniTool ShadowMaker case illustrates how even reputable tools can introduce risks when configuration is not rigorously validated.

Security professionals should adopt a proactive stance: always audit service paths during system hardening, especially in environments with third-party applications.

Conclusion

CVE-2023-36165 serves as a reminder that even well-known software can harbor critical vulnerabilities. The unquoted service path flaw in MTSchedulerService is a textbook example of how poor configuration can lead to privilege escalation. By understanding the mechanics of this exploit and implementing timely fixes, organizations can significantly reduce their attack surface and maintain a secure operational environment.