James Forshaw gave a presentation on privilege escalation in Windows. He discussed several ways that logical vulnerabilities could allow escalating privileges, such as through command line arguments passed to services, exposed device namespaces, impersonation, and default permissions. He provided examples of exploiting vulnerabilities in services, drivers, and other parts of the Windows attack surface to gain elevated privileges on the system.
Social Engineering the Windows Kernel by James ForshawShakacon
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.
The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.
This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
I have presented that files open in an exclusive mode can be illegally accessed without any security reaction. After that, I’ve presented my MemoryRanger, which can prevent such unauthorized memory access.
All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
The demo is here - https://www.youtube.com/watch?v=vi9TzLrO_pE
All details and source code are here - http://www.bit.ly/MemoryMonRWX
Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.
Social Engineering the Windows Kernel by James ForshawShakacon
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.
The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.
This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
I have presented that files open in an exclusive mode can be illegally accessed without any security reaction. After that, I’ve presented my MemoryRanger, which can prevent such unauthorized memory access.
All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
The demo is here - https://www.youtube.com/watch?v=vi9TzLrO_pE
All details and source code are here - http://www.bit.ly/MemoryMonRWX
Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
MemoryRanger is a hypervisor-based project, which isolates kernel-mode drivers and their allocated data by running drivers in isolated kernel enclaves.
All the details are here - bit.ly/MemoryRanger
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
The security of a computer system depends on the OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, which can be used by hackers. The idea of this paper is to continue the research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the opportunities of MemoryRanger to prevent these attacks. This paper demonstrates three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to the files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts issue new protection features, access attempts to the dynamically allocated data in kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Igor Korkin
All the details are here - http://bit.ly/AllMemPro
One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64.
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.
Applying Memory Forensics to Rootkit DetectionIgor Korkin
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.
Applying Memory Forensics to Rootkit Detection #adfsl #Virginia #USA
http://bit.ly/cdfsl_paper
http://bit.ly/cdfsl_slides
http://bit.ly/cdfsl_speech
This presentation is a fun introduction to the tools used by script kiddies, namely the Remote Admin Tools (or Remote Access Trojans). These GUI based hacking tools include a lot of funny and scary features.
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
2010 CodeEngn Conference 04
각종 논문 데이터나 기타 연구자료들을 살펴보면 키보드보안의 한계점에 대해 지목하고 그것에 대한 보완 대책을 논의하고 있는 내용이 많다. 물론 그러한 학문적인 접근도 중요하지만, 실제 키로깅을 하고 있는 해커의 입장에서는 어떤 식으로 키입력과 계정을 가져가는지 해커의 접근 방법을 살펴보는 것도 필요하다. 일반적으로 해커들은 커널 레벨이나 하드웨어 지식 베이스에 입각한 난해한 기법보다는, 보다 간편하며 실용적인 방법을 통해 계정을 가져간다. 그리고 그 같은 행위는 현재 키보드보안의 커버 범위를 뛰어넘는 새로운 기법을 보여주는 경우가 대다수이다. 이런 상황을 배경으로 실제 기업에서 발생하고 있는 사례나, 유저의 감염케이스를 리버스 엔지니어링으로 살펴보는 시간을 마련했다. 바이너리 해킹의 예술을 맛볼 수 있는 Art of Keylogging 발표에서 키 입력 탈취에 대한 새로운 트렌드를 소개한다.
http://codeengn.com/conference/04
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
MemoryRanger is a hypervisor-based project, which isolates kernel-mode drivers and their allocated data by running drivers in isolated kernel enclaves.
All the details are here - bit.ly/MemoryRanger
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
The security of a computer system depends on the OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, which can be used by hackers. The idea of this paper is to continue the research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the opportunities of MemoryRanger to prevent these attacks. This paper demonstrates three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to the files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts issue new protection features, access attempts to the dynamically allocated data in kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Igor Korkin
All the details are here - http://bit.ly/AllMemPro
One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64.
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.
Applying Memory Forensics to Rootkit DetectionIgor Korkin
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.
Applying Memory Forensics to Rootkit Detection #adfsl #Virginia #USA
http://bit.ly/cdfsl_paper
http://bit.ly/cdfsl_slides
http://bit.ly/cdfsl_speech
This presentation is a fun introduction to the tools used by script kiddies, namely the Remote Admin Tools (or Remote Access Trojans). These GUI based hacking tools include a lot of funny and scary features.
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
2010 CodeEngn Conference 04
각종 논문 데이터나 기타 연구자료들을 살펴보면 키보드보안의 한계점에 대해 지목하고 그것에 대한 보완 대책을 논의하고 있는 내용이 많다. 물론 그러한 학문적인 접근도 중요하지만, 실제 키로깅을 하고 있는 해커의 입장에서는 어떤 식으로 키입력과 계정을 가져가는지 해커의 접근 방법을 살펴보는 것도 필요하다. 일반적으로 해커들은 커널 레벨이나 하드웨어 지식 베이스에 입각한 난해한 기법보다는, 보다 간편하며 실용적인 방법을 통해 계정을 가져간다. 그리고 그 같은 행위는 현재 키보드보안의 커버 범위를 뛰어넘는 새로운 기법을 보여주는 경우가 대다수이다. 이런 상황을 배경으로 실제 기업에서 발생하고 있는 사례나, 유저의 감염케이스를 리버스 엔지니어링으로 살펴보는 시간을 마련했다. 바이너리 해킹의 예술을 맛볼 수 있는 Art of Keylogging 발표에서 키 입력 탈취에 대한 새로운 트렌드를 소개한다.
http://codeengn.com/conference/04
"Most of modern OS are using sandboxing in order to prevent malicious apps from affecting other apps or even harming the OS itself. Google is constantly reinforcing Android’s sandbox protection, introducing new features to prevent any kind of sandbox bypass.
In this talk we want to shed new light on a less known attack surface which affects all Android devices and allows an attacker to hijack the communication between privileged apps and the disk, bypassing Android’s latest sandbox protection.
The problem begins when privileged apps interact with files stored in exposed areas, and even worse, some of them will unintentionally break the sandbox by insecurely appending such data to its confinements.
Can you imagine if someone could execute code in the context of your keyboard, or install an unwanted app without your consent? Well… It’s hardly within the realm of imagination.
The external storage and network based vulnerabilities we discovered, can be leveraged by the attacker to corrupt data, steal sensitive information or even take control of your device."
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
This deck contains a few improvements based on received feedback, such as the addition of links and reworded some points for clarity.
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
Beat Your Mom At Solitaire—Reverse Engineering of Computer GamesChristoph Matthies
An overview of the methods used to reverse engineer computer games. Special focus is put on using memory manipulation at runtime to cheat at games as well as the countermeasures deployed by game developers.
Christoph Matthies (@chrisma0), Lukas Pirl
Published under CC BY-NC-SA 3.0
The PSCG's Ron Munitz's talk on MobSecCon, September 3rd, 2015.
A PDF is available in: http://thepscg.com/events/MobSecCon
Israel's first Android (and mobile) Internals conference coming up this November!
http://www.thepscg.com/events/MobModCon
See the improved version: https://www.slideshare.net/ApostolosGiannakidis/mitigating-java-deserialization-attacks-from-within-the-jvm-improved-version
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
This presentation was given to a group of SFS students at GW. It's designed to be semi-case study driven on the problems I've encountered on assessments and how programming can help solve them.
Understanding and implementing website securityDrew Gorton
Knowing security best practices only gets a team so far. They have to implement them too. This session will cover the security risks that a web development team faces and the underlying reasons why risks can go unaddressed. Ultimately, there are no excuses for leaving your web projects exposed to known vulnerabilities. This session will cover common security concerns for Drupal and the root problems a team needs to solve in order to mitigate these risks.
We will cover:
Three layers of web security, from the perspective of Drupal: Platform-level (e.g. Linux), Application-level (e.g. Drupal), and Organizational-level (e.g. procedures)
Familiarity with your hosting platform’s security-related practices.
Overview of common vulnerabilities in web applications (XSS, CSRF, HTTP vs HTTPS, etc.)
Understanding how security concerns are handled for core and contrib.
Clarifying support responsibilities and procedures so that security fixes are applied quickly.
Attendees who build and/or manage Drupal sites will gain the most from the session. Attendees will leave with a complete picture of website security and concrete recommendations for how to improve the security of the sites they manage. It will cover recommendations for Drupal 7 and Drupal 8.
Many of the topics that will be covered are in my Understanding and Implementing Website Security blog post series at https://pantheon.io/blog/understanding-and-implementing-website-security-part-1-you-are-target
This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
2. James Forshaw @tiraniddo
Obligatory Background Slide
2
● Researcher in Google’s Project Zero
● Specialize in Windows
○ Especially local privilege escalation
● Never met a logical vulnerability I didn’t like
3. James Forshaw @tiraniddo
What I’m Going to Talk About
● Privilege escalation in Windows
○ Good places to look for bugs, mixture of user mode and kernel mode
tips
● Fun tricks you can use to exploit vulnerabilities
○ Some even many at Microsoft weren’t aware of
● Mainly logical vulnerabilities, not worrying about memory corruption
3
10. James Forshaw @tiraniddo
System Services and Drivers
10
Windows 7
SP1
Windows
8.1 Windows 10
Services 150 169 196
Drivers 238 253 291
7 8 10
11. James Forshaw @tiraniddo
Service Privilege Levels
11
Windows 7
SP1 Windows 8.1 Windows 10
Local System 53.69% 56.89% 61.14%
Local Service 32.21% 31.14% 28.50%
Network
Service 14.09% 11.98% 10.36%
7 8 10
12. James Forshaw @tiraniddo
Service Start Mode
12
Windows 7 Windows 8.1 Windows 10
Auto 30.07% 26.19% 24.10%
Disabled 5.23% 3.57% 2.05%
Manual 53.59% 43.45% 42.56%
Triggered 11.11% 26.79% 31.28%
7 8 10
15. James Forshaw @tiraniddo
Example: Mozilla Maintenance Service
/**
* Main entry point when running as a service.
*/
void WINAPI
SvcMain(DWORD argc, LPWSTR *argv) {
// ...
ExecuteServiceCommand(argc, argv);
}
15
17. James Forshaw @tiraniddo
Simple C# Test Program
class Program {
static void Main(string[] args) {
if (args.Length < 1) {
Console.WriteLine("Usage: ServiceName args");
Environment.Exit(1);
}
ServiceController service = new ServiceController(args[0]);
if (service.Status == ServiceControllerStatus.Stopped) {
service.Start(args);
}
}
}
17
23. James Forshaw @tiraniddo
Opening a Device Name
DeviceHarddisk1SomeName
DeviceHarddisk1 SomeName
Device Path
Native NT Path
Device
Namespace Path
24. James Forshaw @tiraniddo
Opening a Device Name
DeviceHarddisk1SomeName
DeviceHarddisk1 SomeName
Device Path
Native NT Path
Device
Namespace Path
Harddisk Driver
Create File
Handler
25. James Forshaw @tiraniddo
Securing the Device Namespace
● So what’s the problem?
○ By default security of device path enforced by kernel
○ Security of namespace IS NOT enforced by kernel
● If the driver doesn’t do its own checking or sets appropriate flags
there’s NO security
27. James Forshaw @tiraniddo
Example: Windows Sockets
● On Linux/OSX sockets implemented as system calls
● Implemented in the Ancillary Function Driver
● You interact with it via DeviceAfd
● But you must open the device namespace passing it DeviceAfd
Endpoint
● No security on the namespace :(
● Further interaction via DeviceIoControl
29. James Forshaw @tiraniddo
Talk to Any Registered IP Endpoint
● For example SMB or DCE/RPC
29
https://code.google.com/p/google-security-research/issues/detail?id=222
30. James Forshaw @tiraniddo
What to Look For?
● Best place to look is in the handlers for:
○ IRP_MJ_DEVICE_CONTROL
○ IRP_MJ_FILE_SYSTEM_CONTROL
○ Classic IOCTL bugs
● Control Code encodes what permissions the device handle needs
to call and includes parameter passing information.
30
Device Type
bits 30 - 16
Required
Access
15-14
Function Code
12-2
Transfer
Type
1-0
METHOD_BUFFERED 0
METHOD_IN_DIRECT 1
METHOD_OUT_DIRECT 2
METHOD_NEITHER 3
FILE_ANY_ACCESS 0
FILE_READ_ACCESS 1
FILE_WRITE_ACCESS 2
33. James Forshaw @tiraniddo
Per-Process DeviceMap
const int ProcessDeviceMap = 23;
struct PROCESS_DEVICEMAP_INFORMATION {
HANDLE DirectoryHandle;
};
bool SetProcessDeviceMap(HANDLE hDir) {
PROCESS_DEVICEMAP_INFORMATION DeviceMap = {hDir};
NTSTATUS status = NtSetInformationProcess(
GetCurrentProcess(),
ProcessDeviceMap,
&DeviceMap,
sizeof(DeviceMap));
return status == 0;
}
33
34. James Forshaw @tiraniddo
Using Per-Process Device Map
NTSTATUS DoDeviceIoControl(DRIVER_OBJECT *Driver, PIRP Irp) {
// Potentially vulnerable
PIO_STACK_LOCATION stack_loc = ...;
if (stack_loc‐>DeviceIoControl.IoControlCode ==
IOCTL_SOMETHING) {
UNICODE_STRING name = L"??C:";
UNICODE_STRING target = L"DeviceTarget":
IoCreateSymbolicLink(&name, &target);
}
}
HANDLE hDir;
UNICODE_STRING name = L"GLOBAL??";
NtOpenDirectoryObject(&hDir, DIRECTORY_TRAVERSE, &ObjAttr);
SetProcessDeviceMap(hDir);
34
https://code.google.com/p/google-security-research/issues/detail?id=538
35. James Forshaw @tiraniddo
The Hand Which Giveth…
● MS15-111 Removed Per-Process Device Map from Sandboxes
if (ProcessInformationClass ==
ProcessDeviceMap) {
if (RtlIsSandboxedToken(NULL)) {
return STATUS_ACCESS_DENIED;
}
return ObSetDeviceMap(ProcessHandle,
DirectoryHandle);
}
35
37. James Forshaw @tiraniddo
Impersonation and DeviceMaps
● When a privileged service impersonates a user they also
impersonate their device map.
● Dropping a C: symbolic link in per-user device map directory allows
control over where that service things the C: is while
impersonating.
● Prior to MS15-038 you could use this load DLLs in the target
process
○ This was fixed by adding a new object attribute
OBJ_IGNORE_IMPERSONATED_DEVICEMAP which disables the
impersonation device map.
● But still useful, for example process creation while impersonating
still vulnerable
● Also reading of “protected” configuration.
● Original DLL version available at
https://code.google.com/p/google-security-research/issues/detail?
id=240
37
38. James Forshaw @tiraniddo
Use Process Monitor
● Process Monitor logs the impersonation context on file creation
events.
● Use this to see if any system service is impersonating the user
while opening anything useful (DLLs probably don’t count).
38
Look for this value
39. James Forshaw @tiraniddo
Interesting Object Attribute Flags
39
Flag Name Value Description
OBJ_CASE_INSENSITIVE 0x0040
Interesting if system is
configured as case
sensitive (default is no)
OBJ_OPENLINK 0x0100
Opens a “link” object. Used
to open a registry key
symbolic link
OBJ_KERNEL_HANDLE 0x0200
If not set in kernel mode,
exposed handle to current
process
OBJ_FORCE_ACCESS_CHECK 0x0400
If not set in kernel mode will
open the resource with no
security checks
OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x0800
Ignore the impersonated
device map
40. James Forshaw @tiraniddo
Default ACLs and Owners
● A file or object’s permissions depend one of three things:
○ The inherited permissions from its container (e.g. a Directory) and/or,
○ The default permissions from the current active token
○ An explicit Security Descriptor passed to kernel system call
40
Default
GROUP
Default
DACL
Default
OWNER
Integrity Level also Inherited
from Token
41. James Forshaw @tiraniddo
What if DeviceMap Doesn’t Exist?
NTSTATUS SeGetTokenDeviceMap(TOKEN *token,
DEVICE_MAP **device_map) {
if (!token‐>LogonSession‐>pDeviceMap) {
swprintf_s(
&SourceString,
L"Sessions0DosDevices%08x‐%08x",
token‐>AuthenticationId.HighPart,
token‐>AuthenticationId.LowPart);
InitializeObjectAttributes(&ObjectAttributes,
SourceString, OBJ_KERNEL_HANDLE, ...);
ZwCreateDirectoryObject(&DirectoryHandle,
DIRECTORY_ALL_ACCESS, &ObjectAttributes);
ObSetDirectoryDeviceMap(&token‐>LogonSession,
DirectoryHandle);
}
*device_map = token‐>LogonSession‐>pDeviceMap;
}
41
42. James Forshaw @tiraniddo
Default Security
● Because devicemap directory created in-process on demand it
gains the permissions of the caller:
○ Owner set
○ Default DACL
● Means we can access the device map
● We can use this in limited ways to circumvent loss of per-process
Device Map
● Also works for many other resources such as Registry Keys and
Files
1. Get a token (such as from S4U) with an uninitialized devicemap
2. Impersonate token and access device map to create it
3. Open resource/call kernel function while impersonating the user
42
43. James Forshaw @tiraniddo
Win32 Automatic Redirection
43
● Win32 APIs redirect certain file names when called native APIs e.g.
○ COM1 -> ??COM1
○ NUL -> ??NUL
○ And others
● System services rarely guard against it.
● If you can get the call under impersonation you can redirect the file
access even if you don’t have control over the complete path
● For example
○ If the service will open c:somepathyourfile you can redirect to
another file
○ Potentially exploitable for configuration information
44. James Forshaw @tiraniddo
Path Canonicalization
● Path canonicalization is fundamentally different between Windows
and Linux/OSX
● In Linux or OSX the path is passed to the kernel as is
○ Kernel responsible for path canonicalization
○ Both . and .. directories are real directory entries
● In Windows it must be passed as an absolute path to kernel
○ Relative path components removed in user mode
○ Current directory processed
○ Both . and .. are simulated
44
45. James Forshaw @tiraniddo
Path Canonicalization
45
A B C
Path Linux/OSX Windows
A/B/C Valid Valid
A/B/C/../../B Valid Valid
A/B/D/../C Invalid Valid
A/B/D”/../C Invalid Valid
const char* path = "c:myapp.exe" ....windowsnotepad.exe";
if (CheckSig(path)) {
snprintf(cmdline, ""%s" arg", path);
CreateProcess(NULL, cmdline, ...);
}
53. James Forshaw @tiraniddo
AiCheckSecureApplicationDirectory Bypass
53
● Need to be able to write a file with a secure path
● How can we write to C:Windows without writing to C:Windows?
c:windows malicious.exe
ALLOWED
c:windows ????
ALLOWED?
54. James Forshaw @tiraniddo
NTFS Alternate Data Streams FTW!
54
c:windows tracing:malicious.exe
ALLOWED
● Only need FILE_WRITE_DATA/FILE_ADD_FILE access right on
directory to created named stream.
● Bug only fixed in Windows 10, not in Windows 8.1 and below.
55. James Forshaw @tiraniddo
Windows Symbolic Links
Windows NT 3.1 - July 27 1993
Object Manager Symbolic Links
Registry Key Symbolic Links
Windows 2000 - Feb 17 2000
NTFS Mount Points and
Directory Junctions
Windows Vista - Nov 30 2006
NTFS Symbolic Links
56. James Forshaw @tiraniddo
Mitigated in Sandboxes
56
NTFS Mount Points
Registry Key Symbolic
Links
Object Manager
Symbolic Links
BANNED
LIMITED
LIMITED
57. James Forshaw @tiraniddo
Weird Default Permissions
● Both C:WindowsTemp and C:ProgramData have permissions
which allow a normal user to create new files
● If you can find a program misusing these you can create new files
or symbolic links to attack them
● You can’t delete files necessarily, but of course worth finding a way
of doing so.
57
59. James Forshaw @tiraniddo
The Tools of the Trade (well my choice)
59
● SysInternals
○ Process Explorer
○ Process Monitor
○ WinObj
● WinDBG
● Rohitab API Monitor (http://www.rohitab.com/apimonitor)
● RPCView (http://www.rpcview.org/)
● OleView.NET (https://github.com/tyranid/oleviewdotnet)
● Sandbox Analysis Tools (
https://github.com/google/sandbox-attacksurface-analysis-tools
● IDA Pro