SDDL Utilities
UPDATE: There's a new version of SDDLTranslate. This one's in Python, and you can find it at
http://tojo2000.com/blog/2008/07/more-fun-with-sddl-python-style.html
-----------------------------
SDDL (Security Descriptor Definition Language) may not be the most exciting thing in the world for most people, but it's something I've had to delve into because I've been trying to come up with a good solution for scanning a computer for weak service permissions. I've found several systems so far with weak service permissions that could easily allow a malicious user to take over a system. This is a huge problem, but it is not a problem that can be "fixed". Microsoft is not going to release a patch that will eliminate weak service permissions because it is not a bug. Weak service permissions happen when the creator of the service sets the permissions incorrectly on the service, either because he/she fat-fingered it or didn't realize what they were doing.
Trying to find the best way to dump service permissions, I came across SC.exe (Windows XP and Server 2003). It has an option, "sdshow", that will export the service permissions for a particular service. As an example, try typing in the following at a command prompt:
sc sdshow Spooler
(I chose Spooler because it exists on all XP/2003 systems)
You should get an SDDL string like this back:
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(I cut it a little short, but it's still a valid SDDL string)
The problem with this is that it is a huge pain to figure out what you are reading even if you understand the anatomy of an SDDL string, which most people don't. That's where SDDLTranslate and SvcInfo come in, two utilities I wrote in the process of researching service permissions.
SDDLTranslate
USAGE: SDTranslate SDDL_String [-s]
SDDLTranslate takes an SDDL string as an argument and returns the corresponding access control list in human-readable format. The optional -s switch tells SDDLTranslate that the SDDL string refers to a service (some constants change their meaning when referring to a service). Let's use the SDDL string from earlier as an example:
SvcInfo
USAGE: SvcInfo
SvcInfo basically just automates the task of cycling through your services, running "SC sdshow Service", and then running SDDLTranslate on the result. Running SvcInfo will enumerate all of your services and get the security descriptor for each. Since the result typically spans many pages, it will also create the SvcInfo.log file with the output so you can view it in another program later.
Both SDDLTranslate and SvcInfo were written in Perl using a module I wrote for the purpose, Win32::SDDL. You can find Win32::SDDL on CPAN.
Click here to download SDDLTranslate.
Click here to download the source for SDDLTranslate.
Click here to download SvcInfo.
Click here to download the source for SvcInfo.
SDDL (Security Descriptor Definition Language) may not be the most exciting thing in the world for most people, but it's something I've had to delve into because I've been trying to come up with a good solution for scanning a computer for weak service permissions. I've found several systems so far with weak service permissions that could easily allow a malicious user to take over a system. This is a huge problem, but it is not a problem that can be "fixed". Microsoft is not going to release a patch that will eliminate weak service permissions because it is not a bug. Weak service permissions happen when the creator of the service sets the permissions incorrectly on the service, either because he/she fat-fingered it or didn't realize what they were doing.
Trying to find the best way to dump service permissions, I came across SC.exe (Windows XP and Server 2003). It has an option, "sdshow", that will export the service permissions for a particular service. As an example, try typing in the following at a command prompt:
sc sdshow Spooler
(I chose Spooler because it exists on all XP/2003 systems)
You should get an SDDL string like this back:
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(I cut it a little short, but it's still a valid SDDL string)
The problem with this is that it is a huge pain to figure out what you are reading even if you understand the anatomy of an SDDL string, which most people don't. That's where SDDLTranslate and SvcInfo come in, two utilities I wrote in the process of researching service permissions.
SDDLTranslate
USAGE: SDTranslate SDDL_String [-s]
SDDLTranslate takes an SDDL string as an argument and returns the corresponding access control list in human-readable format. The optional -s switch tells SDDLTranslate that the SDDL string refers to a service (some constants change their meaning when referring to a service). Let's use the SDDL string from earlier as an example:
SvcInfo
USAGE: SvcInfo
SvcInfo basically just automates the task of cycling through your services, running "SC sdshow Service", and then running SDDLTranslate on the result. Running SvcInfo will enumerate all of your services and get the security descriptor for each. Since the result typically spans many pages, it will also create the SvcInfo.log file with the output so you can view it in another program later.
Both SDDLTranslate and SvcInfo were written in Perl using a module I wrote for the purpose, Win32::SDDL. You can find Win32::SDDL on CPAN.
Click here to download SDDLTranslate.
Click here to download the source for SDDLTranslate.
Click here to download SvcInfo.
Click here to download the source for SvcInfo.
posted by tojo2000 @ 3:09 AM
0 comments
links to this post
