{"id":107132,"date":"2022-09-07T07:00:00","date_gmt":"2022-09-07T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=107132"},"modified":"2022-09-07T09:55:09","modified_gmt":"2022-09-07T16:55:09","slug":"20220907-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20220907-00\/?p=107132","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Replacing a service binary"},"content":{"rendered":"<p>In the category of dubious security vulnerability, we have this report:<\/p>\n<blockquote class=\"q\">\n<p>I have found a security vulnerability in Windows that permits an unprivileged user to gain system privileges.<\/p>\n<ul>\n<li>Look for existing services that runs as local system.<\/li>\n<li>For each service, check its corresponding <code>C:\\Program Files<\/code> subdirectory to see if the directory is writable.<\/li>\n<li>When you find one, replace the binary with a hacked version that opens a reverse shell.<\/li>\n<li>The next time the service starts, it will run the modified binary and open a reverse shell.<\/li>\n<li>Connect to the reverse shell and control the system.<\/li>\n<\/ul>\n<\/blockquote>\n<p>Yes, if you can find a system that runs as local system which sits in a world-writable directory, then you can replace it, and Windows will blindly execute it the next time it needs to start the service.<\/p>\n<p>This is another example of <a href=\"https:\/\/devblogs.microsoft.com\/oldnewthing\/20180227-00\/?p=98115\"> creating an insecure system and then being surprised that it&#8217;s insecure<\/a>.<\/p>\n<p>The attack hinges on finding a writable binary that runs with local system privileges. But anybody who does that created an insecure system: They created a binary that runs with system privileges and left it world-writable! Furthermore, everything in <code>C:\\Program Files<\/code> defaults to &#8220;writable only by administrators&#8221;, so somebody who leaves a world-writable file in the <code>C:\\Program Files<\/code> directory must have gone out of their way to do so.<\/p>\n<p>This security vulnerability report presupposes that such a misconfigured program exists and shows how it can be exploited. While it&#8217;s interesting to know that such an attack is possible, it doesn&#8217;t carry any security consequences for Windows. The security vulnerability is in the program installer, which installed a service insecurely.<\/p>\n<p>And since the program is, so far, purely hypothetical, you haven&#8217;t even found a vulnerability in any program. All you&#8217;re saying is &#8220;If there is a vulnerability, then I can exploit a vulnerability.&#8221;<\/p>\n<p>If you put it that way, it&#8217;s clear that this claim by itself is not an interesting security statement.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Looking for misconfigured services.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-107132","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>Looking for misconfigured services.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=107132"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107132\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=107132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=107132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=107132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}