Presented at
DEF CON 28 (2020) Virtual,
Aug. 8, 2020, 9:30 a.m.
(30 minutes)
In 2010, Stuxnet, the most powerful malware in the world revealed itself, causing physical damage to Iranian nuclear enrichment centrifuges. In order to reach Iran's centrifuges, it exploited a vuln in the Windows Print Spooler service and gain code execution as SYSTEM. Due to the hype around this critical vuln, we (and probably everyone else) were pretty sure that this attack surface would no longer exist a decade later. We were wrong…
The first clue was that 2 out of 3 vulns which were involved in Stuxnet were not fully patched. That was the case also for the 3rd vuln used in Stuxnet, which we were able to exploit again in a different manner.
It appears that Microsoft has barely changed the code of the Print Spooler mechanism over the last 20 years.
We investigated the Print Spooler mechanism of Windows 10 Insider and found two 0-day vulns providing LPE and DoS (First one can also be used as a new persistence technique)
Presenters:
-
Tomer Bar
- Research Team Leader at SafeBreach Labs
Tomer Bar is a security researcher and a research team leader with 15+ years of unique experience in the sec field. Currently leading the research team of SafeBreach Labs. His experience involved vulnerability research, malware analysis, etc.
-
Peleg Hadar
- Senior Security Researcher at SafeBreach Labs
Peleg Hadar (@peleghd) is a security researcher, having 8+ years of unique experience in the sec field. Currently doing research @SafeBreach Labs, previously serving in various sec positions @IDF.
His experience involved security from many angles: starting with network research, and now mostly software research. Peleg likes to investigate mostly Microsoft Windows components.
@peleghd
Links:
Similar Presentations: