Insecure Service Permissions
Services with Insecure service permissions could allow for privilege escalation. If the current user has the ability to write to or replace the service path binary and, the service is started with privileged permissions such as SYSTEM it could be possible to elevate, providing the service is running in.
Acesschk.exe
can be used to check what permission a particular user has to services. A wildcard is used to check all services.
From the above output SERVICE_CHANGE_CONFIG indicates we are able to alter the service configuration and change the binary path.
As from the above value SERVICE_START_NAME represents the user in which the service runs under.
The command below can be used to alter the binary to a new, malicious binary.
Once the binary path has been changed the service can then be started by either using the command below or rebooting the system if permissions allow.
Interesting Service permissions
Permission | Description |
---|---|
GENERIC_ALL | Inherits SERVICE_CHANGE_CONFIG |
GENERIC_WRITE | Inherits SERVICE_CHANGE_CONFIG |
SERVICE_CHANGE_CONFIG | Able to alter service binary |
WRITE_DAC | Able to alter permissions -> SERVICE_CHANGE_CONFIG |
WRITE_OWNER | Able to become owner and change permissions |
Metasploit Module
Last updated