PrivescCheck icon indicating copy to clipboard operation
PrivescCheck copied to clipboard

Published 20 hours ago verified publisher icon itm4n

Service binary permissions false positive

Open itm4n opened this issue 3 months ago • 0 comments

Under specific conditions, the function Invoke-ServicesImagePermissionsCheck incorrectly reports some service binary permissions as vulnerable.

Below is an example when the script is executed while the current directory is C:\Users\USERNAME. It identifies Desktop as a token to check, finds that the path C:\Users\USERNAME\Desktop exists, and is writable. Therefore, it reports the service as vulnerable.

Name              : SomeService
ImagePath         : "C:\Program Files\SomeProgram\Foo Desktop Bar\SomeExecutable.exe"
User              : LocalSystem
ModifiablePath    : C:\Users\USERNAME\Desktop
IdentityReference : COMPUTER\USERNAME
Permissions       : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ListDirectory, AddSubdirectory, 
                    WriteExtendedAttributes, WriteDAC, ReadAttributes, AddFile, ReadExtendedAttributes, DeleteChild, 
                    Traverse
Status            : Stopped
UserCanStart      : False
UserCanStop       : False

itm4n avatar Mar 11 '24 20:03 itm4n