Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Insecure Default Service DACL's in Windows 2003
From: Jean-Baptiste Marchand <jbm () hsc fr>
Date: Fri, 15 Oct 2004 10:15:07 +0200

* Ziots, Edward <EZiots () Lifespan org> [13/10/04 - 10:16]:

In my documentation of the Default DACL on Windows 2003 Services, I have
found and confirmed the following: 

Both the Distributed Link tracking Server Service and Internet Connection
Firewall Service have the Default DACL of Everyone:Full Control, which
basically lets anyone connect to the SCM and start and stop these services
at will, which in the case of the Internet Connection Firewall Service could
cause many headaches for your service based systems. 

I guess Microsoft's forgot to didn't care to properly set the DACL's on
these services to properly secure them against inproper modification. 

[ 

For those not familiar with Windows services security, Windows service
can be protected just like most of NT objects with DACL (Discretionnary
Access List), allowing an administrator to typically decide which user
can start or stop a given service.

This feature of Windows NT is not well-known, probably because Microsoft
never shipped a graphical tool to modify these permissions (yes,
there *should* be a Permissions tab in the properties of each service as
displayed in the Services Manager... Maybe in Windows Server 2042?)

Here, we're talking about default permissions for Windows Server 2003
services.

]


As mentionned by Kurt Dillard, you've probably confused DACL and SACL in
SDDL strings.

On a standard Windows Server 2003 domain controller, it seems that the
only service that has a DACL containing an ACE with the EVERYONE
principal is the kdc service.

You can verify this using the sdshow option of the sc command (builtin
command of Windows Server 2003) to examine security descriptors for all
Windows Server 2003 services and look for ";WD", which stands for
EVERYONE in SDDL parlance:


$ sc query type= service state= all | grep "SERVICE_NAME" | cut -d ':'
-f 2 | while read srv ; do echo $srv ; sc sdshow $srv ; done | sed -e
's/S:.*$//' | grep -B 2 ";WD"

kdc
^^^

D:(A;OICI;CCLCSWLORC;;;WD)(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;OICI;CCDCLC
   ^^^^^^^^^^^^^^^^^^^^^^ SWLORC;;;PU)(A;OICI;CCLCSWRPLO;;;IU)


The CCLCSWLORC corresponds to actions allowed for any process with a
token containing the EVERYONE SID.

AFAIK, there is no public documentation about how to interpret this part
of SDDL strings for services (i.e., it is not documented in the ACE
Strings entry of Platform SDK documentation).

Using the scacl tool (http://www.losoft.de/lstools.html) to examine this
security descriptor, it seems that this corresponds to:

 - SERVICE_ENUMERATE_DEPENDENCE
 - SERVICE_INTERROGATE
 - SERVICE_QUERY_CONFIG
 - SERVICE_QUERY_STATUS
 - READ_CONTROL (RC):


C:\>scacl kdc

Current security settings of service kdc on SERVEUR:
Owner:     NT AUTHORITY\SYSTEM

DACL:
  00:  [R]       \Everyone
  01:  [F]       BUILTIN\Administrators
  02:  [RW]      (null)\(null)
  03:  [HLIQS]   NT AUTHORITY\INTERACTIVE

This corresponds exactly to the GENERIC_READ generic permission mappings
for services, as documented in the Service Security and Access Rights
entry in PSDK.


On the other hand, all Windows Server 2003 service have, by default, a
SACL that audits any failure for any principal (the EVERYONE SID is
typically found in most NT tokens):

$ sc query type= service state= all | grep "SERVICE_NAME" | cut -d ':' -f 2 | w
hile read srv ; do sc sdshow $srv ; done | sed -e 's/^D:.*\(S:\)/\1/' | sort |
uniq -c
    102
    100 S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      1 The specified service does not exist as an installed service.
      1 [SC] OpenService FAILED 1060:


By the way, given that in Windows Server 2003, the security token of
null sessions does not contain the EVERYONE SID, this SACL should also
audit failures for the ANONYMOUS SID to be really complete...


is to utilize a Custom Security template and recofigure the DACL and add a
SACL of Everyone ( All Settings Failure) and Start, Stop, Pause ( Success)
if you want to check if someone other than the System account is accessing
these services. 

Default configuration for Windows Server 2003 services can be found in
the two following files:

- C:\WINDOWS\inf\defltsv.inf (default security template used for servers)

- C:\WINDOWS\inf\defltdc.inf (default security template used for domain
  controllers).

Services settings (startup mode and SDDL) appear in the [Service General
Setting] section of these files.



Finally, remember that default security descriptors for Windows Server
2003 services were hardened, compared to Windows 2000 Server.

However, there are still some services that can be started by any
interactive user (look for ;IU in SDDL strings)

 AppMgmt
 ClipSrv
 HTTPFilter
 kdc
 NetDDE
 RpcSs
 SamSs
 W32Time
 WmdmPmSN


I remember at least one exploit for an NT SCM (Service Control Manager)
vulnerability that was using the capability to start a service for any
interactive logged-on user...


Jean-Baptiste Marchand
-- 
Jean-Baptiste.Marchand () hsc fr
HSC - http://www.hsc.fr/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • Re: Insecure Default Service DACL's in Windows 2003 Jean-Baptiste Marchand (Oct 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault