Privilege Escalation by service token - ties2/Red-Team GitHub Wiki

Privilege escalation is a critical security threat to any operating system, including Windows. It is a technique that allows an attacker to gain higher privileges than those they currently have, enabling them to perform actions that they otherwise would not be authorized to do. One of the ways that attackers can achieve privilege escalation is through the exploitation of service token vulnerabilities.

In this essay, we will discuss how attackers can use service token vulnerabilities to increase their access level and escalate privileges on a Windows system. We will also explore some examples of such attacks, and discuss mitigation measures that can be employed to prevent them.

Service Token:

Windows operating systems use a security principle called "service accounts" to provide services with the required level of access to the system. Service accounts are different from user accounts in that they do not require a password to log on to the system. Instead, they use a "service token" that is generated when the service starts.

Service tokens are used to provide the necessary privileges to a service, such as the ability to access files, directories, and network resources. Each service token has a unique identifier, which is used by the operating system to determine the access rights associated with the token.

Service Token Vulnerability:

A service token vulnerability arises when a service does not properly validate the service token before executing commands or actions. If an attacker can exploit this vulnerability, they can gain access to the system using the privileges of the service account.

For example, suppose an attacker gains access to a system as a low-privileged user. In that case, they can use a service token vulnerability to escalate their privileges to that of a service account with higher privileges, such as the LocalSystem account.

Exploiting a service token vulnerability typically involves two stages: first, the attacker must find a vulnerable service and then identify a suitable exploit to use against it.

Finding a Vulnerable Service:

One way to identify vulnerable services is to use vulnerability scanners such as Nessus or OpenVAS. These tools can scan a network or system and identify services that are vulnerable to attack. They can also provide details of the vulnerabilities found and suggest mitigation measures.

Another approach is to use port scanning tools such as Nmap to identify services running on a target system. Once the services are identified, the attacker can use tools such as Metasploit to determine if any of the services are vulnerable to attack.

Exploiting the Vulnerability:

Once a vulnerable service has been identified, the attacker can use various techniques to exploit the vulnerability. One of the most common techniques used by attackers is to create a malicious service that mimics a legitimate service.

The attacker can then use the vulnerability to inject their malicious code into the service and execute it using the elevated privileges of the service account. This can provide the attacker with complete control over the system and access to sensitive data.

Another technique is to use a tool such as PsExec to execute commands as the service account. PsExec is a command-line tool developed by Sysinternals (now part of Microsoft) that allows users to execute commands on a remote system as if they were running locally.

The attacker can use PsExec to execute a command that will create a new user account with administrative privileges. They can then log in using the new account and perform any actions they wish on the system.

Mitigating Service Token Vulnerabilities:

There are several steps that organizations can take to mitigate service token vulnerabilities. These include:

Implementing the Principle of Least Privilege: One of the most effective ways to mitigate service token vulnerabilities is to implement the Principle of Least Privilege (PoLP). This principle states that users should be granted only the minimum level of privileges required to perform their tasks.

Types of Service Token Vulnerabilities:

There are several types of service token vulnerabilities that can be exploited for privilege escalation. Some of the common ones include:

  • Unquoted Service Path:

This vulnerability occurs when a service path contains spaces and is not enclosed in quotes. An attacker can exploit this vulnerability by creating a malicious file in a directory with a name containing spaces and naming it as the unquoted service path. When the service starts, it will run the malicious file instead of the intended executable, giving the attacker elevated privileges.

  • Weak Service Permissions:

This vulnerability occurs when a service has weak permissions set, allowing non-administrative users to modify or replace the service binary or configuration files. An attacker can exploit this vulnerability by replacing the service binary with a malicious one or modifying the configuration file to execute arbitrary code.

  • Insecure Service Registry Key Permissions:

This vulnerability occurs when a service's registry keys have weak permissions set, allowing non-administrative users to modify or replace the service binary or configuration files. An attacker can exploit this vulnerability by modifying the registry key to point to a malicious executable or modifying the configuration file to execute arbitrary code.

  • DLL Hijacking:

This vulnerability occurs when a service loads a DLL without specifying the full path or using a vulnerable search order. An attacker can exploit this vulnerability by placing a malicious DLL in a location where the service will load it instead of the legitimate DLL.

Examples of Service Token Vulnerabilities:

Here are some real-world examples of service token vulnerabilities that have been exploited for privilege escalation: CVE-2018-6789: This vulnerability in the Exim mail server allowed an attacker to execute arbitrary code with root privileges by exploiting a service token vulnerability. The vulnerability was caused by the mail server not properly quoting the path to the pipe delivery program, allowing an attacker to execute a malicious script instead.

**CVE-2018-19320: **

This vulnerability in the OpenEMR medical practice management system allowed an attacker to execute arbitrary code with administrative privileges by exploiting a service token vulnerability. The vulnerability was caused by the service binary having weak permissions set, allowing an attacker to replace it with a malicious one.

**CVE-2017-8464: **

This vulnerability in the Windows Shell allowed an attacker to execute arbitrary code with elevated privileges by exploiting a service token vulnerability. The vulnerability was caused by the ShellExecute function not properly validating file associations, allowing an attacker to execute a malicious script instead of the intended executable.

Mitigating Service Token Vulnerabilities:

Here are some ways to mitigate service token vulnerabilities and prevent privilege escalation:

  • Set Strong Permissions: Ensure that services have strong permissions set on their binaries and configuration files, so that only administrative users can modify or replace them.

  • Use Quoted Paths: Ensure that service paths are enclosed in quotes to prevent exploitation of unquoted service path vulnerabilities.

  • Use Strong Registry Key Permissions: Ensure that service registry keys have strong permissions set, so that only administrative users can modify or replace them.

  • Use Full DLL Paths: Ensure that services use full paths when loading DLLs, to prevent exploitation of DLL hijacking vulnerabilities.

  • Keep Software Up-to-Date: Ensure that software is kept up-to-date with the latest security patches to prevent exploitation of known vulnerabilities.

  • Use Privilege Separation: Use privilege separation to minimize the impact of a successful exploit by separating the service from the system and user context.

  • Use Anti-Malware Software: Use anti-malware software to detect and block malicious activity on the system.

Conclusion: Service token vulnerabilities are a common vector for privilege escalation attacks. By exploiting these vulnerabilities, an attacker can elevate their privileges and gain access to sensitive system resources. It is important for organizations to take steps to mitigate these vulnerabilities and