PWN Windows: From Low to System Privilege via RASMAN Service

Presented at CanSecWest 2022, May 20, 2022, 2:15 p.m. (60 minutes)

Windows is an operating system with a long history, which also means that it has a lot of codes that have been used for many years. These codes may not be fully considered for their security when they are written. I found an attack surface called rasman (remote access connection manager) that has been hidden for a long time, at least since the windows nt4 version has existed. In this talk, I will introduce the architecture of this module in detail, and introduce how I can find 10+ vulnerabilities in this module in a short period of time. Finally, I will introduce two vulnerabilities which bypasses all current mitigations, and won the windows EOP project in Tianfu cup 2021

Presenters:

• Ziming Zhang - Ant Security Light-Year Lab
  Security researcher of Ant Security Light-Year Lab Working on virtualization security and kernel security 2021 Tianfu Cup Windows project winner 2021 Q2 Microsoft Most Valuable Security Researchers 2020 Tianfu Cup paralles desktop project winner Before, I researched vulnerabilities related to virtualization software and obtained 30+cves such as qemu, virtualbox, pd, etc. In the past year, I got 10+ cve numbers from Microsoft, many of which are exploitable.

Links:

• https://cansecwest2022.sched.com/event/zt2l/pwn-windows-from-low-to-system-privilege-via-rasman-service

Similar Presentations:

• ShmooCon XII (2016) / The Road to SYSTEM: Recycling Old Vulnerabilities for Unpatched Privilege Escalation and A New Network Attack
• Black Hat Europe 2016 / Attacking Windows by Windows
• DEF CON China Beta (2018) / I Am Groot: Examining the Guardians of Windows 10 Security