MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path "MTAgentService"

Understanding CVE-2023-36164: Unquoted Service Path Vulnerability in MiniTool Partition Wizard ShadowMaker v.12.7

Security researchers have identified a critical vulnerability in MiniTool Partition Wizard ShadowMaker v.12.7, classified as CVE-2023-36164. This flaw stems from an unquoted service path in the MTAgentService component, allowing attackers to exploit privilege escalation on Windows systems. The vulnerability is particularly dangerous because it enables malicious code execution with elevated privileges—without requiring user interaction or direct access to the system.

What Is an Unquoted Service Path?

An unquoted service path occurs when the executable path for a Windows service is not enclosed in quotation marks. This oversight can be exploited during service startup, especially when the service runs under LocalSystem privileges.

Consider the following example:

BinaryPathName: C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe

Here, the path contains spaces but is not quoted. If an attacker places a malicious executable named Program.exe in the C:\Program Files (x86) directory, the system will attempt to execute it as the service starts—because Windows interprets the path as C:\Program followed by Files (x86)\MiniTool ShadowMaker\AgentService.exe.

This behavior is rooted in how Windows parses command-line arguments: when a path is unquoted and contains spaces, the system treats the first space as a delimiter, effectively splitting the path into two parts.

Exploitation Scenario: The Real-World Attack Vector

Attackers can leverage this flaw by crafting a malicious binary that mimics the expected service name. Here’s a step-by-step breakdown of how the exploit works:

• Step 1: Identify services with unquoted paths using wmic or sc commands.
• Step 2: Target the MTAgentService service, which runs as LocalSystem with AUTO_START mode.
• Step 3: Place a malicious executable named Program.exe in C:\Program Files (x86).
• Step 4: Reboot the system or restart the service—triggering execution of the malicious binary.

Once executed, the attacker gains full system privileges, enabling remote code execution, persistence, or lateral movement across the network.

Proof of Concept (PoC) Analysis

From the original PoC provided by researcher Idan Malihi, the following commands reveal the vulnerability:

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

This command filters services that:

• Are set to Auto start.
• Do not reside in C:\Windows (excluding system services).
• Have unquoted paths (no double quotes).

Output:

MTAgentService MTAgentService C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe Auto

This confirms the presence of an unquoted service path.

Next, querying the service configuration:

sc qc MTAgentService

Output confirms:

Parameter	Value
Service Name	MTAgentService
Start Type	2 (AUTO_START)
Binary Path Name	C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe
Service Start Name	LocalSystem

These findings validate the vulnerability: the service runs as LocalSystem, starts automatically, and uses an unquoted executable path.

Why This Vulnerability Matters

Unlike many other exploits that require user interaction or social engineering, this flaw is silent and automatic. It does not need a user to run a malicious file—only the presence of a crafted binary in a specific directory.

Attackers often use this technique in:

• Malware persistence after initial compromise.
• Privilege escalation during post-exploitation.
• Supply chain attacks targeting software installation paths.

Because MiniTool Partition Wizard is a legitimate utility used by IT professionals and system administrators, it increases the likelihood of being installed on high-value systems, making it a prime target for exploitation.

How to Mitigate the Risk

Organizations and users must take proactive steps to eliminate this risk:

• Update to a patched version: Ensure the software is updated to v.12.8 or later, where the service path is properly quoted.
• Monitor service paths: Use tools like sc query or wmic to regularly audit service configurations.
• Implement file integrity monitoring: Use tools like Windows Defender ATP or SIEM to detect unauthorized binaries in critical directories.
• Apply least privilege principles: Avoid running services under LocalSystem unless absolutely necessary.

Additionally, administrators should:

• Restrict write access to C:\Program Files (x86) to trusted users.
• Enable AppLocker or Windows Defender Application Control to block unauthorized executables.

Expert Insight: The Broader Implications

Unquoted service paths are a recurring issue in software development. They highlight a fundamental gap between security best practices and real-world deployment. Even well-known software vendors can overlook these flaws during updates.

Security professionals should treat such vulnerabilities as red flags for:

• Code quality assurance.
• Automated vulnerability scanning.
• Supply chain risk assessment.

As the MITRE ATT&CK framework notes, this exploit falls under Technique T1543.003: Service Abuse—a category used by advanced persistent threats (APTs) to maintain access and escalate privileges.

Conclusion

CVE-2023-36164 is a prime example of how seemingly minor configuration flaws can lead to catastrophic security breaches. The unquoted service path in MTAgentService of MiniTool Partition Wizard ShadowMaker v.12.7 presents a real, actionable threat. Organizations must act swiftly to patch affected systems, audit service configurations, and enforce strict access controls.

Security is not just about firewalls and antivirus—it’s about understanding the attack surface and closing every possible backdoor, even those hidden in plain sight.