Plugin Spotlight: SMB Insecurely Configured Service
Misconfiguration can Lead to Compromise
As a former full-time systems administrator, I understand the pain of managing and maintaining systems. A significant amount of testing is often required to ensure that you have the correct configuration settings, not just in terms of security, but also for system stability. Once you have the correct configuration it is difficult to maintain consistency across the environment on an ongoing basis (especially across hundreds, or even thousands, of disparate systems). This problem crosses all platforms and Unix/Linux and Windows administrators alike share the same challenges. Some examples include:
- Authentication/Logon services implementing the appropriate policies
- Ensuring all services are logging properly
- Permissions on existing users and running processes
- Various configuration settings associated with installed services (and typically specific to the service)
Improperly configured systems often lead to instability and security problems. For example, a program running as root, or administrator, could be exploited by an attacker to gain access to a system. A configuration change (or multiple changes) needs to be put in place to make a service run as a lesser privileged user to limit what an attacker can do on a system (even if only for a period of time until they find a privilege escalation exploit). Some of the more difficult systems to penetrate are those that are properly maintained and configured. All systems administrators may not be security “experts”, but are typically highly skilled individuals who know their systems very well and run a tight ship. A lax attitude (e.g., "Oh, that system can run as root, it’s not hurting anything") greatly increases your risk and makes the attackers’ job easier, not harder.
The Devil is in the Details
Keeping track of service configuration is a very tedious process. Fortunately, Nessus has several plugins and .audit files that can help. A great example is a new plugin that detects the permissions of the services running on Windows systems. Plugin 44676 "SMB Insecurely Configured Service" checks the permissions of each service to see if SERVICE_CHANGE_CONFIG, WRITE_DAC or WRITE_OWNER are enabled for "Everyone". Research indicates that access control entries (ACEs) are stop-on-first-match; meaning if an “Allow ACE for Everyone” appears before a “Deny ACE for Everyone”, the “Deny ACE” will be ignored. The plugin will evaluate each service's ACE and take the rule order into consideration.
The risk with this configuration error is that if a Windows service is configured to allow “Everyone” to change its configuration, a local user could execute arbitrary commands, either deliberately or accidentally. For example, if a service is configured to run goodprogram.exe but has insecure permissions, anyone can re-configure the service to run evil.exe. If a service runs as the 'Good Program' user, that account can become compromised. If a service is running as SYSTEM (as many services do), an attacker could take over the entire system.
To run this plugin, Nessus must be configured with credentials to log into the Windows target. When the plugin finds a mis-configured service, it will produce output such as:
This plugin is available in the feed and is a welcome addition to the Nessus plugin database, allowing users to easily audit the running services on all Windows hosts within your environment.
Contributions for this post were made by Brian Adeloye., Vulnerability Research Engineer here at Tenable Network Security.