The Rise of Potatoes: Privilege Escalations in Windows Services

Presented at Black Hat Asia 2021 Virtual, May 6, 2021, 11:20 a.m. (40 minutes).

Privilege escalation is a required step for an attacker in order to get full control of a system starting from a lower privileged access.<br>In Windows there are many ways to reach this goal. This talk will be focused on showing all the recent techniques used to do privilege escalation starting from a service account.<br><br>This scenario is quite common when attacking web applications hosted on Windows servers. When a web server is compromised (through code execution or arbitrary file write) it is possible to run commands on behalf of the web server that is running as a service. MSSQL servers are another example of services that could be compromised by a malicious attacker.<br><br>WSH (Windows Service Hardening) is a feature enabled since Windows Vista with the goal of hardening services. These "isolation" techniques are often not applied and, in some cases, can be abused too. As an example, the famous Rotten/JuicyPotato exploit uses the DCOM/NTLM reflection vulnerability.<br><br>Those techniques require SeImpersonatePrivilege which is considered a God privilege by MS. The impersonation privilege is assigned by default to any service account and that opens a hole that could be abused by the attackers in order to escalate privileges. MS does not consider this boundary (going from SERVICE with SeImpersonate to SYSTEM ) as a security boundary but just a safety boundary. For this reason, those vulnerabilities are classified as "won't fix" by MS.<br><br>This talk will describe all the recent techniques, showing how it is still possible to escalate privileges from SERVICE to SYSTEM in multiple ways.<br><br>Some mitigations will be advised too; sysadmins should never rely on default service account configuration to segregate services/processes.

Presenters:

  • Antonio Cocomazzi - System Engineer, SentinelOne
    Antonio Cocomazzi "splinter_code" is a system engineer with a particular interest in malware analysis. He also conducts independent research with a focus on discovering new vulnerabilities and, more in general, in digging into Windows OS internals. The main focus of his activities is on researching new ways of attacking Windows operating systems and finding cutting edge techniques to reach stealthiness in heavily monitored environments. He enjoys reversing any kind of binaries from packed malwares to Windows internal components. He likes playing online CTFs and writing/publishing offensive tools and security research on his GitHub channel mostly based on Windows OS.

Links:

Similar Presentations: