Microsoft Windows Unquoted Service Path Enumeration

John's Avatar


19 May, 2017 10:38 PM

We had a Nessus finding internally regarding "Microsoft Windows Unquoted Service Path Enumeration". More information about the vulnerability is here:

And the Nessus article is here:

I just happened to be setting up a Windows Service deployment step and noticed that when Octopus creates Windows Services, it does so without the quotes. Is this something that you expect to fix in a future release? Is there a way to work around this within Octopus? I'm guessing I'll need to add a PowerShell script step to alter the execution path, but I'm hoping there is a work around I've overlooked. Thanks!

  1. Support Staff 1 Posted by Rob Erez on 22 May, 2017 01:47 AM

    Rob Erez's Avatar

    It looks like you may have stumbled across an issue that has come about as a result of an earlier fix made regarding quotes around paths. I have created a GitHub ticket to fix this problem. You can see where this missing quotes are in the open source Calamari project which is used by Octopus to execute the scripts on the Tentacles. Because this path is resolved and used in the same script provided in the above link, there is not much you can do at the moment to work around it. Since this is a potential vulnerability I will raise it up with the team to get some priority on it.
    Thanks for bringing this to our attention, Let me know if I can be of any further assistance.

  2. 2 Posted by John on 04 Aug, 2017 07:55 PM

    John's Avatar

    Hey, thanks for this fix! I was able to retire my custom step template and revert back to a stock Windows Service installation.

  3. John closed this discussion on 04 Aug, 2017 07:55 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac