Insecure Service Permissions

Services with Insecure service permissions could allow for privilege escalation. If the current user has the ability to write to or replace the service path binary and, the service is started with privileged permissions such as SYSTEM it could be possible to elevate, providing the service is running in.

Acesschk.exe can be used to check what permission a particular user has to services. A wildcard is used to check all services.

.\accesschk.exe /accepteula -uwcqv "<User>" *

From the above output SERVICE_CHANGE_CONFIG indicates we are able to alter the service configuration and change the binary path.

As from the above value SERVICE_START_NAME represents the user in which the service runs under.

The command below can be used to alter the binary to a new, malicious binary.

sc config daclsvc binpath= "\"C:\PrivEsc\reverse_shell.exe\""

Once the binary path has been changed the service can then be started by either using the command below or rebooting the system if permissions allow.

net start <ServiceName>

Interesting Service permissions

Permission	Description
GENERIC_ALL	Inherits SERVICE_CHANGE_CONFIG
GENERIC_WRITE	Inherits SERVICE_CHANGE_CONFIG
SERVICE_CHANGE_CONFIG	Able to alter service binary
WRITE_DAC	Able to alter permissions -> SERVICE_CHANGE_CONFIG
WRITE_OWNER	Able to become owner and change permissions

Metasploit Module

use exploit/windows/local/service_permissions