Windows Services - All roads lead to SYSTEM
-
Kostas Lintovois - 31 Oct 2014
Windows services are programs which operate in the background and are the equivalent of UNIX daemons.
They are an integral part of the Operating System, and from a security perspective they are a critical component, as a compromise would typically result in arbitrary code execution within an elevated context. This makes them a prime target for attackers looking to escalate their privileges on a Windows system. In the past there have been a number of high profile vulnerabilities that have been discovered and exploited, but these vulnerabilities typically involved memory corruption. However, due to advances in memory protections in recent OS releases, these types of vulnerabilities are becoming more scarce and more difficult to exploit reliably.
The same result can often be achieved through exploitation of vulnerabilities which do not involve memory corruption, but are rather misconfigurations of services themselves. Particularly in post exploitation scenarios, this vector of attack has a higher potential as any anti-exploitation protections that the Operating System might be enforcing usually do not apply. This whitepaper explores the most common configuration related security flaws that are found in Windows services today. It covers six key service areas and describes how a service can be assessed, presents exploitation examples and finally provides advice on how to remediate such issues.