I seek for your advice in a security issue and how to mitigate this high risk vulnerability.

Microsoft Windows Unquoted Service Path Enumeration. Microsoft Windows Unquoted Service Path EnumerationMicrosoft Windows Unquoted Service Path Enumeration

Synopsis

The remote Windows host has at least one service installed that uses an unquoted service path.

Description

The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service.

Even i am facing the similar issue as this vulerability was highlighted by Nessus for windows 2008 R2 server. any suggestion would be appreciated

Find the service in question via regedit and quote the ImagePath key. The services hive is found in HKLM\CurrenControlSet\Services. An example of the quoted fix would be changing the

C:\Program Files\service.exe to "C:\Program Files\service.exe"

Probably way late but...

Here's a batch that will scan all services on a PC and tell you exactly which service is having the issue. You can then go into the registry on that server, under HKLM\SYSTEM\CurrentControlSet\services pick the service and edit the path to add quotes to the beginning and end of it. 

@echo off

:START_PROG
cls
echo.
set /p svr=Server Name:  
echo.
for /f "tokens=2" %%I in ('sc \\%svr% query^|find "SERVICE_NAME:"') do Call :CHECK_SVR %%I
echo.
echo.
echo.
CHOICE /m "Do another "
IF errorlevel 2 goto END_PROG
IF errorlevel 1 goto START_PROG
GOTO END_PROG

:CHECK_SVR
sc \\%svr% qc %1|find "DISPLAY"
sc \\%svr% qc %1|find "BINARY"|find /v """"|find /v /i "C:\WINDOWS"
GOTO END_PROG

:END_PROG

As long as we are piling on late responses, here is the script one of our talented SCCM engineers wrote to fix affected systems.  The first code snippet is used in SCCM 2007 to fix clients.  Further down are the detection and remediation scripts used in SCCM 2012 as part of Desired Configuration Management (DCM).

Const HKEY_LOCAL_MACHINE = &H80000002
const REGKEYPATH = "System\CurrentControlSet\Services\"
Dim arrValues, Results, arrReturn()

strComputer = "." 
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")  

Set objListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name IS NOT NULL and PathName LIKE '% %.exe%' and NOT PathName Like '""%'")
For Each objService in objListOfServices
   Results = ReadRegExpandStr (HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",32)
'   Results = ReadRegStr(HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",32)
   Results = Chr(34) & Replace(Results,".exe",".exe" & Chr(34),1,1,1)
   Wscript.Echo objService.name & " ;  " & Results
   SetRegExpandStr HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",Results,32
Next





'
'Reads a REG_EXPAND_SZ value from the local computer's registry using WMI
'
Function ReadRegExpandStr (RootKey, Key, ValueName, RegType)
     Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer,strValue

     Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
     oCtx.Add "__ProviderArchitecture", RegType
     Set oLocator = CreateObject("Wbemscripting.SWbemLocator")

     strComputer = "."

     Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
     Set oInParams = oReg.Methods_("GetExpandedStringValue").InParameters.SpawnInstance_()

     oInParams.hDefKey = RootKey
     oInParams.sSubKeyName = Key
     oInParams.sValueName = ValueName

     Set oOutParams = oReg.ExecMethod_("GetExpandedStringValue", oInParams, , oCtx)
     If IsNull(oOutParams.sValue) Then
        ReadRegExpandStr = "Unknown"
     Else
        Wscript.Echo Cstr(oOutParams.sValue)
        ReadRegExpandStr = Cstr(oOutParams.sValue)
     End If

End Function


'
'Creates a REG_EXPAND_SZ value in the local computer's registry using WMI
'
Function SetRegExpandStr (RootKey, Key, ValueName, Value, RegType)
   Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer

     Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
     oCtx.Add "__ProviderArchitecture", RegType
     Set oLocator = CreateObject("Wbemscripting.SWbemLocator")

     strComputer = "."
 
     Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
     Set oInParams = oReg.Methods_("SetExpandedStringValue").InParameters.SpawnInstance_()
 
     oInParams.hDefKey = RootKey
     oInParams.sSubKeyName = Key
     oInParams.sValueName = ValueName
     oInParams.sValue = Value

     Set oOutParams = oReg.ExecMethod_("SetExpandedStringValue", oInParams, , oCtx)

End function
	


'
'Reads a REG_SZ value from the local computer's registry using WMI
'
Function ReadRegStr (RootKey, Key, Value, RegType)
     Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer

     Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
     oCtx.Add "__ProviderArchitecture", RegType
     Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
     strComputer="." 
     Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
     Set oInParams = oReg.Methods_("GetStringValue").InParameters
     oInParams.hDefKey = RootKey
     oInParams.sSubKeyName = Key
     oInParams.sValueName = Value
     Set oOutParams = oReg.ExecMethod_("GetStringValue", oInParams, , oCtx)
     If IsNull(oOutParams.sValue) Then
        ReadRegStr = "Unknown"
     Else
        Wscript.Echo Cstr(oOutParams.sValue)
        ReadRegStr = Cstr(oOutParams.sValue)
     End If
End Function

SCCM 2012 DCM - Detection of unquoted services

Dim strComputer, objWMIService,  objListOfServices

strComputer = "." 
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")  

Set objListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name IS NOT NULL and PathName LIKE '% %.exe%' and NOT PathName Like '""%'")
If objListOfServices.Count = 0 Then
   WScript.Echo "No unquoted service path was found"
Else
   Wscript.Echo "Found an unquoted Service Path"
End If

SCCM 2012 DCM remediation script

Const HKEY_LOCAL_MACHINE = &H80000002
const REGKEYPATH = "System\CurrentControlSet\Services\"
Dim arrValues, Results, arrReturn(), sArgString

Set objArgs = WScript.Arguments
If objArgs.count > 0 then
   sArgString = wscript.arguments(0)
   If sArgString = "failed" Then
      strComputer = "." 
      Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
      Set objSystemItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem")
      For Each objItem in objSystemItems
          strSystemType = objItem.SystemType
      Next
      If strSystemType = "X86-based PC" then
         i = 32
      Else
         i = 64
      End If
      Set objListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name IS NOT NULL and PathName LIKE '% %.exe%' and NOT PathName Like '""%'")
      For Each objService in objListOfServices
         Results = ReadRegExpandStr (HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",i)
'         Results = ReadRegStr(HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",i)
         Results = Chr(34) & Replace(Results,".exe",".exe" & Chr(34),1,1,1)
         Wscript.Echo objService.name & " ;  " & Results & vbcrlf
'         SetRegExpandStr HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",Results,i
      Next
   End If
End If





'
'Reads a REG_EXPAND_SZ value from the local computer's registry using WMI
'
Function ReadRegExpandStr (RootKey, Key, ValueName, RegType)
     Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer,strValue

     Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
     oCtx.Add "__ProviderArchitecture", RegType
     Set oLocator = CreateObject("Wbemscripting.SWbemLocator")

     strComputer = "."

     Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
     Set oInParams = oReg.Methods_("GetExpandedStringValue").InParameters.SpawnInstance_()

     oInParams.hDefKey = RootKey
     oInParams.sSubKeyName = Key
     oInParams.sValueName = ValueName

     Set oOutParams = oReg.ExecMethod_("GetExpandedStringValue", oInParams, , oCtx)
     If IsNull(oOutParams.sValue) Then
        ReadRegExpandStr = "Unknown"
     Else
        Wscript.Echo Cstr(oOutParams.sValue)
        ReadRegExpandStr = Cstr(oOutParams.sValue)
     End If

End Function


'
'Creates a REG_EXPAND_SZ value in the local computer's registry using WMI
'
Function SetRegExpandStr (RootKey, Key, ValueName, Value, RegType)
   Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer

     Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
     oCtx.Add "__ProviderArchitecture", RegType
     Set oLocator = CreateObject("Wbemscripting.SWbemLocator")

     strComputer = "."
 
     Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
     Set oInParams = oReg.Methods_("SetExpandedStringValue").InParameters.SpawnInstance_()
 
     oInParams.hDefKey = RootKey
     oInParams.sSubKeyName = Key
     oInParams.sValueName = ValueName
     oInParams.sValue = Value

     Set oOutParams = oReg.ExecMethod_("SetExpandedStringValue", oInParams, , oCtx)

End function
	


'
'Reads a REG_SZ value from the local computer's registry using WMI
'
Function ReadRegStr (RootKey, Key, Value, RegType)
     Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer

     Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
     oCtx.Add "__ProviderArchitecture", RegType
     Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
     strComputer="." 
     Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
     Set oInParams = oReg.Methods_("GetStringValue").InParameters
     oInParams.hDefKey = RootKey
     oInParams.sSubKeyName = Key
     oInParams.sValueName = Value
     Set oOutParams = oReg.ExecMethod_("GetStringValue", oInParams, , oCtx)
     If IsNull(oOutParams.sValue) Then
        ReadRegStr = "Unknown"
     Else
        Wscript.Echo Cstr(oOutParams.sValue)
        ReadRegStr = Cstr(oOutParams.sValue)
     End If
End Function

• Edited by makinbank Friday, December 19, 2014 11:03 PM Added SCCM 2012 DCM code

How did your SCCM admin query computers to find the ones with unquoted service paths, or did they just run the script on every computer?

I run this script on all computers, and all vulnerability is fixed 

https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341