HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
RpcEptMapper
service using the regedit
GUI. One thing I really like about the Advanced Security Settings window is the Effective Permissions tab. You can pick any user or group name and immediately see the effective permissions that are granted to this principal without the need to inspect all the ACEs separately. The following screenshot shows the result for the low privileged lab-user
account.Query Value
) but one in particular stands out: Create Subkey
. The generic name corresponding to this permission is AppendData/AddSubdirectory
, which is exactly what was reported by the script:ImagePath
value for example. To do so, we would need the WriteData/AddFile
permission. Instead, we can only create a new subkey.HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
but we cannot modify existing subkeys and values. These already existing subkeys are Parameters
and Security
, which are quite common for Windows services.Parameters
and Security
- that we could leverage to effectively modify the configuration of the service and alter its behavior in any way?windows service configuration registry site:microsoft.com
and here is the very first result that came out.Performance: A key that specifies information for optional performance monitoring. The values under this key specify the name of the driver’s performance DLL and the names of certain exported functions in that DLL. You can add value entries to this subkey using AddReg entries in the driver’s INF file.
Performance
subkey. OK, this is really interesting! This key doesn’t exist by default for the RpcEptMapper
service so it looks like it is exactly what we need. There is a slight problem though, this service is definitely not a driver service. Anyway, it’s still worth the try, but we need more information about this “Perfomance Monitoring” feature first.Note: in Windows, each service has a givenType
. A service type can be one of the following values:SERVICE_KERNEL_DRIVER (1)
,SERVICE_FILE_SYSTEM_DRIVER (2)
,SERVICE_ADAPTER (4)
,SERVICE_RECOGNIZER_DRIVER (8)
,SERVICE_WIN32_OWN_PROCESS (16)
,SERVICE_WIN32_SHARE_PROCESS (32)
orSERVICE_INTERACTIVE_PROCESS (256)
.
Library
value can contain a DLL name or a full path to a DLL.Open
, Collect
, and Close
values allow you to specify the names of the functions that should be exported by the DLL.REG_SZ
(or even REG_EXPAND_SZ
for the Library
value).main
function with DllMain
. You can find a skeleton code for this function in the documentation: Initialize a DLL.ERROR_SUCCESS
if successful.DllMain
is implemented, we have a log helper function and the three required functions. One last thing is missing though. If we compile this code, OpenPerfData
, CollectPerfData
and ClosePerfData
will be available as internal functions only so we need to export them. This can be achieved in several ways. For example, you could create a DEF file and then configure the project appropriately. However, I prefer to use the __declspec(dllexport)
keyword (doc), especially for a small project like this one. This way, we just have to declare the three functions at the beginning of the source code..\DllRpcEndpointMapperPoc\x64\Release\DllRpcEndpointMapperPoc.dll
.rundll32.exe
and pass the name of the DLL and the name of an exported function as the parameters.rundll32.exe
. The second one was written when OpenPerfData
was called. Looks good! reg.exe
/ regedit.exe
or programmatically with a script. Since I already went through the manual steps during my initial research, I’ll show a cleaner way to do the same thing with a PowerShell script. Besides, creating registry keys and values in PowerShell is as easy as calling New-Item
and New-ItemProperty
, isn’t it? Requested registry access is not allowed
… Hmmm, ok… It looks like it won’t be that easy after all. New-Item
, powershell.exe
actually tries to open the parent registry key with some flags that correspond to permissions we don’t have.Counter types appear as the CounterType qualifier for properties in Win32_PerfRawData classes, and as the CookingType qualifier for properties in Win32_PerfFormattedData classes.
NETWORK SERVICE
in the context of the RpcEptMapper
service at most but, it looks like I got a much better result than anticipated. I actually got arbitrary code execution in the context of the WMI
service itself, which runs as LOCAL SYSTEM
. How amazing is that?! Note: if I had got arbirary code execution asNETWORK SERVICE
, I would have been just a token away from theLOCAL SYSTEM
account thanks to the trick that was demonstrated by James Forshaw a few months ago in this blog post: Sharing a Logon Session a Little Too Much.
AppendData/AddSubdirectory
was actually enough in this case. Regarding the “misconfiguration” itself, I would assume that the registry key was set this way for a specific purpose, although I can’t think of a concrete scenario in which users would have any kind of permissions to modify a service’s configuration.GetModfiableRegistryPath
function, which was several months ago. The second one is that the impact is low. It requires local access and affects only old versions of Windows that are no longer supported (unless you have purchased the Extended Support…). At this point, if you are still using Windows 7 / Server 2008 R2 without isolating these machines properly in the network first, then preventing an attacker from getting SYSTEM privileges is probably the least of your worries.