This blog will explore how threat actors aka hackers are able to privesc when a weak file, directory or registry permissions are available. Often installed programs disable directory inheritance and configure excessive permissions to user accounts. Locating these misconfigurations will often go unnoticed as it requires validating swaths of file, directory and registry hive permissions. Luckily I've a couple of scripts that assist in both reporting vulnerabilities and resetting the correct permissions. But first the problem at hand.....
The Risks
Weak file, directory and registry permissions are often significant factors in threat actors being able to break out and privesc. If the aforementioned permissions are not set properly, it can give threat actors the opportunity to gain access to sensitive files or modify existing files.
Weak permissions allow the user to write and execute programs in the directory or redirect application paths set in the registry to another location permitting the user to execute their own malicious programs. This can be used to gain access to privileged information or to modify existing programs or files.
In addition to writing and executing programs, weak directory permissions can also allow the user to modify the permissions of existing files. This can be used to modify or delete existing files, or to create new files with malicious code.
Finally, weak permissions can also allow hackers to gain access to the system by exploiting vulnerabilities in the operating system or the applications installed on the system.
What to do....
Validating permissions throughout the Operating System is slow and laborious when done manually and after finding some truly awful permissions and realising the importance of the task at hand I started developing a validation and pentest script. It's available online and downloadable from github, all referenced links are at the bottom of the page.
Download the Security Report script and review it prior to running with admin privileges.
The report outputs in HTML and checks for privesc, breakouts and misconfigurations.
If there are file, directory or registry permission weaknesses found in the Security Report then download and run 'Fix for Weak Permissions' PowerShell script. As always test and review the script before executing.
The script validates the following location for any User or Authenticated Users that are able to modify or above.
C:\
"C:\PerfLogs\"
"C:\Program Files"\
"C:\Program Files (x86)\"
"C:\Windows\"
'HKLM:\SYSTEM\CurrentControlSet\Services\'
'HKLM:\Software\'
The Scripts
The Security Report Support Page