Microsoft considers these to be service-pack class
issues, so hopefully they will release a fix for it in Windows XP Service Pack 3.
Next up on the list of juicy service targets is SSDPSRV, granting access to all authenticated
users. Let??™s see exactly which access is granted.
C:\tools>accesschk.exe -q -v -c "authenticated users" ssdpsrv
RW ssdpsrv
SERVICE_ALL_ACCESS
C:\tools>accesschk.exe -q -v -c "authenticated users" upnphost
RW upnphost
SERVICE_ALL_ACCESS
Both SSDP and upnphost grant all access to any authenticated user!We??™ve found our
target service, so let??™s move on to the attack.
Privilege Escalation via SERVICE_CHANGE_CONFIG
Granted to Untrusted Users
sc.exe is a command-line tool used to interact with the service control manager (SCM).
If you pass the AccessCheck, it will allow you to stop, create, query, and configure services.
As attackers having identified a service with a weak DACL, our objective is to
reconfigure the SSDPSRV service to run code of our choice. For demo purposes, we??™ll
attempt to reconfigure the service to add a new user account to the system. It??™s smart to
first capture the original state of the service before hacking it. Always do this first so you
can later reconfigure the service back to its original state.
Pages:
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748