Token Kidnapping's Revenge

Presented at DEF CON 18 (2010), July 30, 2010, 1 p.m. (50 minutes)

On April 14, 2009 Microsoft released a patch (http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx) to fix the issues detailed in my previous Token Kidnapping presentation (http://www.argeniss.com/research/TokenKidnapping.pdf). The patch properly fixed the issues but... This new presentation will detail new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7. These new attacks allow to bypass new Windows services protections such as Per service SID, Write restricted token, etc. It will be demonstrated that almost any process with impersonation rights can elevate privileges to Local System account and completely compromise Windows OSs. While the issues are not critical in nature since impersonation rights are required, they allow to exploit services such as IIS 6, IIS 7, SQL Server, etc. in some specific scenarios. Exploits code for those services will be released. The presentation will be given in a very practical way showing how the new issues were found, with what tools, techniques, etc. allowing the participants to learn how to easily find these kind security issues in Windows operating systems

Presenters:

• Cesar Cerrudo - Argeniss
  Cesar Cerrudo is the founder and CEO of Argeniss (www.argeniss.com), a security consultancy firm based in Argentina. He is a security researcher and consultant specializing in application security. Regarded as a leading application security researcher, Cesar is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database, application security, attacks and exploitation techniques and he has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec. HITB, Microsoft BlueHat, FRHACK, EkoParty, etc. Cesar collaborates with and is regularly quoted in print and online publications including eWeek, ComputerWorld, and other leading journals.

Links:

• https://defcon.org/html/defcon-18/dc-18-speakers.html#Cerrudo
• https://infocon.org/cons/DEF CON/DEF CON 18/DEF CON 18 video and slides/DEF CON 18 - Cesar Cerrudo - Token Kidnappings Revenge - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=PdkT31n7qR8

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM
• Black Hat USA 2015 / Social Engineering the Windows Kernel: Finding and Exploiting Token Handling Vulnerabilities
• Black Hat USA 2010 / Token Kidnapping's Revenge