Protect Windows Services from the SvrCheck2 Exploit

Overview:

Windows Services are programs that run in the background, normally with no user interface, that provide various services to Windows and the user, such as looking on the internet for updates to Windows.

In January of 2006, of Sudhakar Govindavajhala and Andrew Appel released a paper titled, Windows Access Control Demystified (PDF). Although this paper was generally an explanation of the complex security model of Windows, it also discussed security vulnerabilities in many Microsoft services and services installed by third party software.

One of the security settings for services controls the ability to change the configuration of the service, to change the location and name of the program that runs as the service. Several services were found to have no security restrictions at all, or improperly set security restrictions. Microsoft issued updates to fix these settings on their services, but made no attempt to correct the security settings for third party software services.

What this means to the end user is that any software installed on their computer has the ability to find vulnerable services and install a backdoor on the computer in place of the service. In some cases, this can be done remotely. For example, using a Wi-Fi network in a cafe might be all that is needed for someone sitting across the room in the cafe to install a backdoor on your computer. Once this has happened, almost anything is possible. Your computer can be connected to over the internet from anywhere in the world and used to send spam or attack other computer systems. Your personal data could be stolen from your computer. Your computer could be damaged or used to store illegal files. All this can happen without your knowledge.

Govindavajhala and Appel’s paper did not discuss any practical details of how to protect your computer from these vulnerabilities. Little information is available on the internet on how to do this. Microsoft has only issued a technical bulletin for developers on the necessity of properly settings security in services during installation. None of this helps the end user fix problems that continue to exist on their computers. Even though it has been over a year since these vulnerabilities were revealed, there are still services out there that remain vulnerable.

This tutorial discusses how to test your system and fix any vulnerabilities found.

SrvCheck2:

In February of 2006, Andres Tarasco released a proof-of-concept program with source code called SrvCheck2. This program can test and list vulnerable Windows services. But with the proper settings it can also install a backdoor on your system in the place of a vulnerable service that you specify. Because of this, you may have problems downloading the program because many virus scanners recognize it as a virus or trojan. This does not mean you are protected against this exploit in other programs. Some minor modifications to this program’s code and the way it is complied will allow it to get past any virus scanner.

To test your system, log in as a normal user, open a command line window, and run srvcheck2 with the -l option (that is a dash followed by a lower case L) to list vulnerable services. If you log in using an administrator account, then all services will be listed as vulnerable. This illustrates the importance of only using a normal user account for all your computer work except when you need to install software or modify Windows settings.

WARNING: Incorrect use of the commands shown could damage your system. No guarantees are expressed or implied. Use this procedure at your own risk.

Here is an example of output from the List function of srvcheck2…

>srvcheck2 -l
Services Permissions checker v2.0
(c) 2006 Andres Tarasco - [email protected]

[+] Trying to enumerate local resources
[+] Username: johndoe
[+] Listing Vulnerable Services...

[Adobe LM Service] Adobe LM Service
Status: 0x1
Context: LocalSystem
Parameter: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"

[DcomLaunch] DCOM Server Process Launcher
Status: 0x4
Context: LocalSystem
Parameter: C:\WINDOWS\system32\svchost -k DcomLaunch

[Macromedia Licensing Service] Macromedia Licensing Service
Status: 0x1
Context: LocalSystem
Parameter: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"

[+] Analyzed 309 Services in your system
[+] You were Lucky. 3 vulnerable services found

This output shows that the License Management Service (copy protection) for Adobe and Macromedia programs are vulnerable. Incidentally, these copy protection services were not made by Adobe or Macromedia, they were made by Macrovision. The problem here is that both services were installed with no security restrictions specified. Windows interprets this to mean that anyone, from anywhere, even if they have no account on your computer, can do anything they want to these services. In essence, their copy protection makes your computer vulnerable to hackers. Both of these services have been updated in newer products, but if you are using older software, you are still vulnerable.

DcomLaunch shown here is a Microsoft service. This is a special case of vulnerability. The security settings for a normal user are such that this service is not vulnerable. But the user account used for this test was a member of the power user group. For some reason, Microsoft decided that with this one service, power users should be able to change the configuration of this service. Microsoft’s own technical bulletin states that only administrators should be given this security right on services. We should be able to safely remove this access for power users.


Fixing Vulnerabilities – SubInACL:

WARNING: Incorrect use of the commands shown could damage your system. No guarantees are expressed or implied. Use this procedure at your own risk.

To fix these vulnerabilities, we can use a free utility program available from Microsoft named SubInACL. This administrative utility allows us to examine and change the security settings for Windows services, as well as other objects in Windows. To use this utility, it is best to be logged in as an administrator.

Using the vulnerability information found by SvrCheck2, here is an example on how to fix the Adobe License Manager Service. The same procedure can be repeated on any vulnerable service by substituting it’s name in the following commands.

First, to view the current access rights issue the following command. If you understand the meaning of these security settings, this will give you an idea of why the services are vulnerable. In most cases you will see that the service has no security settings at all, leaving it wide open to anyone…

subinacl /service "Adobe LM Service" /display

Next, grant full access to the Administrators group….

subinacl /service "Adobe LM Service" /grant=Administrators

Erase the current access right for the Everyone group…

subinacl /service "Adobe LM Service" /suppresssid=Everyone

Give the Everyone group the following rights…

Q = Query Service Configuration
S = Query Service Status
E = Enumerate Dependent Services
I = Interrogate Service
L = Read control

subinacl /service "Adobe LM Service" /grant=Everyone=QSEIL

Give the Users group the same rights as the Everyone group, and also…
T = Start Service

subinacl /service "Adobe LM Service" /grant=Users=QSEILT

Repeat this procedure for all the vulnerable services, then restart the services and test again using a normal user account. In the special case mentioned earlier with DComLaunch, the /display command showed that the normal user group already had the proper security settings, but the power users group had the additional setting to change the service configuration. Since power users are also a member of the normal users group, all that was needed was to delete all the power users security settings for DComLaunch by issuing this command…

subinacl /service DComLaunch /suppresssid="power users"

If everything is configured correctly, the output of srvcheck2 should look like this…

>srvcheck2 -l
Services Permissions checker v2.0
(c) 2006 Andres Tarasco - [email protected]

[+] Trying to enumerate local resources
[+] Username: johndoe
[+] Listing Vulnerable Services...

[+] Analyzed 309 Services in your system
[+] Your system is secure! Great! :/