RpcEptMapperservice using the
regeditGUI. One thing I really like about the Advanced Security Settings window is the Effective Permissions tab. You can pick any user or group name and immediately see the effective permissions that are granted to this principal without the need to inspect all the ACEs separately. The following screenshot shows the result for the low privileged
Query Value) but one in particular stands out:
Create Subkey. The generic name corresponding to this permission is
AppendData/AddSubdirectory, which is exactly what was reported by the script:
ImagePathvalue for example. To do so, we would need the
WriteData/AddFilepermission. Instead, we can only create a new subkey.
HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapperbut we cannot modify existing subkeys and values. These already existing subkeys are
Security, which are quite common for Windows services.
Security- that we could leverage to effectively modify the configuration of the service and alter its behavior in any way?
windows service configuration registry site:microsoft.comand here is the very first result that came out.
Performance: A key that specifies information for optional performance monitoring. The values under this key specify the name of the driver’s performance DLL and the names of certain exported functions in that DLL. You can add value entries to this subkey using AddReg entries in the driver’s INF file.
Performancesubkey. OK, this is really interesting! This key doesn’t exist by default for the
RpcEptMapperservice so it looks like it is exactly what we need. There is a slight problem though, this service is definitely not a driver service. Anyway, it’s still worth the try, but we need more information about this “Perfomance Monitoring” feature first.
Note: in Windows, each service has a given
Type. A service type can be one of the following values:
Libraryvalue can contain a DLL name or a full path to a DLL.
Closevalues allow you to specify the names of the functions that should be exported by the DLL.
DllMain. You can find a skeleton code for this function in the documentation: Initialize a DLL.
DllMainis implemented, we have a log helper function and the three required functions. One last thing is missing though. If we compile this code,
ClosePerfDatawill be available as internal functions only so we need to export them. This can be achieved in several ways. For example, you could create a DEF file and then configure the project appropriately. However, I prefer to use the
__declspec(dllexport)keyword (doc), especially for a small project like this one. This way, we just have to declare the three functions at the beginning of the source code.
rundll32.exeand pass the name of the DLL and the name of an exported function as the parameters.
rundll32.exe. The second one was written when
OpenPerfDatawas called. Looks good!
regedit.exeor programmatically with a script. Since I already went through the manual steps during my initial research, I’ll show a cleaner way to do the same thing with a PowerShell script. Besides, creating registry keys and values in PowerShell is as easy as calling
New-ItemProperty, isn’t it?
Requested registry access is not allowed… Hmmm, ok… It looks like it won’t be that easy after all.
powershell.exeactually tries to open the parent registry key with some flags that correspond to permissions we don’t have.
NETWORK SERVICEin the context of the
RpcEptMapperservice at most but, it looks like I got a much better result than anticipated. I actually got arbitrary code execution in the context of the
WMIservice itself, which runs as
LOCAL SYSTEM. How amazing is that?!
Note: if I had got arbirary code execution as
NETWORK SERVICE, I would have been just a token away from the
LOCAL SYSTEMaccount thanks to the trick that was demonstrated by James Forshaw a few months ago in this blog post: Sharing a Logon Session a Little Too Much.
AppendData/AddSubdirectorywas actually enough in this case. Regarding the “misconfiguration” itself, I would assume that the registry key was set this way for a specific purpose, although I can’t think of a concrete scenario in which users would have any kind of permissions to modify a service’s configuration.
GetModfiableRegistryPathfunction, which was several months ago. The second one is that the impact is low. It requires local access and affects only old versions of Windows that are no longer supported (unless you have purchased the Extended Support…). At this point, if you are still using Windows 7 / Server 2008 R2 without isolating these machines properly in the network first, then preventing an attacker from getting SYSTEM privileges is probably the least of your worries.