Service binary permissions false positive

[itm4n]

Under specific conditions, the function Invoke-ServicesImagePermissionsCheck incorrectly reports some service binary permissions as vulnerable.

Below is an example when the script is executed while the current directory is C:\Users\USERNAME. It identifies Desktop as a token to check, finds that the path C:\Users\USERNAME\Desktop exists, and is writable. Therefore, it reports the service as vulnerable.

Name              : SomeService
ImagePath         : "C:\Program Files\SomeProgram\Foo Desktop Bar\SomeExecutable.exe"
User              : LocalSystem
ModifiablePath    : C:\Users\USERNAME\Desktop
IdentityReference : COMPUTER\USERNAME
Permissions       : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ListDirectory, AddSubdirectory, 
                    WriteExtendedAttributes, WriteDAC, ReadAttributes, AddFile, ReadExtendedAttributes, DeleteChild, 
                    Traverse
Status            : Stopped
UserCanStart      : False
UserCanStop       : False

[itm4n]

Issue fixed with commit 61d557422d369a8c54239889bcee9a5e8db87abf

The parsing of the command line is now delegated to the system using the API CommandLineToArgvW, instead of trying to parse it manually. As a result, the above example is interpreted as a single file path, and no longer results in a false positive.