Protect Windows Services from the SvrCheck2 Exploit

Overview

Windows Services are programs that run unseen in the background. These normally have no user interface. They provide various services to the operating system and the to user, such as searching the internet for Windows updates.

In January of 2006, of Sudhakar Govindavajhala and Andrew Appel released a paper titled, Windows Access Control Demystified (PDF). This paper was generally an explanation of the complex security model of Windows. But it also discussed security vulnerabilities in many Microsoft services and services installed by third party software.

One of the available service security settings controls who can change the configuration of the service. This gives the ability to change the name and location of the program that runs as the service. Several services were found to have no security restrictions at all, or improperly set security restrictions. Microsoft issued updates to fix these settings on their services. But fix does not correct the security settings of third party software services.

What this means to the end user is that any software installed on their computer has the ability to find vulnerable services and install a backdoor on the computer in place of the service. In some cases, this can be done remotely. For example, using a Wi-Fi network in a cafe might be all that is needed for someone sitting across the room to install a backdoor on your computer. Once this has happened, almost anything is possible. Your computer could be remotely control over the internet and used to send spam or attack other computer systems. Data could be stolen from your computer. Your computer could be damaged or used to store illegal files. All this can happen without your knowledge.

Govindavajhala and Appel’s paper did not discuss any practical details of how to protect your computer from these vulnerabilities. Little information is available on the internet on how to do this. Microsoft has only issued a technical bulletin for developers on the necessity of properly settings security in services during installation. None of this helps the end user fix problems that continue to exist on their computers. Although this vulnerability was disclosed more than a year ago, there are still vulnerable services out there.

This tutorial discusses how to test your system and fix any vulnerabilities found.

SrvCheck2

In February of 2006, Andres Tarasco released a proof-of-concept program with source code called SrvCheck2. This program can test and list vulnerable Windows services. But with the proper settings it can also install a backdoor on your system in the place of a vulnerable service that you specify. Because of this, you may have problems downloading the program because many virus scanners recognize it as a virus or trojan. This does not mean you are protected against this exploit in other programs. Some minor modifications to this program’s code and the way it is complied will allow it to get past any virus scanner.

To test your system, log in as a normal user, open a command line window, and run srvcheck2 with the -l option (that is a dash followed by a lower case L) to list vulnerable services. If you log in using an administrator account, then all services will be listed as vulnerable. This illustrates the importance of only using a normal user account for all your computer work. Only use an administrator account when you need to install software or modify Windows settings.

WARNING: Incorrect use of the commands shown could damage your system. No guarantees are expressed or implied. Use this procedure at your own risk.

Here is an example of output from the List function of srvcheck2…

>srvcheck2 -l
Services Permissions checker v2.0
(c) 2006 Andres Tarasco - [email protected]

[+] Trying to enumerate local resources
[+] Username: johndoe
[+] Listing Vulnerable Services...

[Adobe LM Service] Adobe LM Service
Status: 0x1
Context: LocalSystem
Parameter: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"

[DcomLaunch] DCOM Server Process Launcher
Status: 0x4
Context: LocalSystem
Parameter: C:\WINDOWS\system32\svchost -k DcomLaunch

[Macromedia Licensing Service] Macromedia Licensing Service
Status: 0x1
Context: LocalSystem
Parameter: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"

[+] Analyzed 309 Services in your system
[+] You were Lucky. 3 vulnerable services found

This output shows that the License Management Service (copy protection) for Adobe and Macromedia programs are vulnerable. Incidentally, these copy protection services were not made by Adobe or Macromedia, they were made by Macrovision. The problem here is that both services were installed with no security restrictions specified. Windows interprets this to mean that anyone, from anywhere, even if they have no account on your computer, can do anything they want to these services. In essence, their copy protection makes your computer vulnerable to hackers.  Newer versions have updated both of these services. But vulnerabilities could still exist in older software products.

The DcomLaunch shown here is a Microsoft service. This is a special case of vulnerability. The security settings for a normal user are such that this service is not vulnerable. But the user account used for this test was a member of the power user group. For some reason, Microsoft decided that with this one service, power users should be able to change the configuration of this service. Microsoft’s own technical bulletin states that only administrators should be given this security right on services. We should be able to safely remove this access for power users.


Fixing Vulnerabilities – SubInACL

WARNING: Incorrect use of the commands shown could damage your system. No guarantees are expressed or implied. Use this procedure at your own risk.

To fix these vulnerabilities, we can use a free utility program available from Microsoft named SubInACL. This administrative utility allows us to examine and change the security settings for Windows services, as well as other objects in Windows. Log in as an administrator to use this utility.

Using the vulnerability information found by SvrCheck2, here is an example on how to fix the Adobe License Manager Service. Repeat the same procedure on any vulnerable service by substituting its name in the following commands.

First, to view the current access rights issue the following command. If you understand the meaning of these security settings, this will give you an idea of why the services are vulnerable. In most cases you will see that the service has no security settings at all, leaving it wide open to anyone…

subinacl /service "Adobe LM Service" /display

Next, grant full access to the Administrators group….

subinacl /service "Adobe LM Service" /grant=Administrators

Erase the current access right for the Everyone group…

subinacl /service "Adobe LM Service" /suppresssid=Everyone

Give the Everyone group the following rights…

Q = Query Service Configuration
S = Query Service Status
E = Enumerate Dependent Services
I = Interrogate Service
L = Read control

subinacl /service "Adobe LM Service" /grant=Everyone=QSEIL

Give the Users group the same rights as the Everyone group, and also…
T = Start Service

subinacl /service "Adobe LM Service" /grant=Users=QSEILT

Repeat this procedure for all the vulnerable services, then restart the services and test again using a normal user account. In the special case mentioned earlier with DComLaunch, the /display command showed that the normal user group already had the proper security settings. But the power users group had the additional setting to change the service configuration. Since the power users group members also belong to the normal users group, all that was needed was to delete all the power users security settings for DComLaunch by issuing this command…

subinacl /service DComLaunch /suppresssid="power users"

If configured correctly, the output of srvcheck2 should look like this…

>srvcheck2 -l
Services Permissions checker v2.0
(c) 2006 Andres Tarasco - [email protected]

[+] Trying to enumerate local resources
[+] Username: johndoe
[+] Listing Vulnerable Services...

[+] Analyzed 309 Services in your system
[+] Your system is secure! Great! :/