Oct 27, 2009

Token Kidnapping's Revenge

Finally I got some free time to take a look at Windows for security issues, I was initialy amazed with Windows 7 and Windows 2008 R2 they looked really solid but after some time I started to find some issues.
These issues are not really dangerous (depending on the scenario) but allow to continue exploiting Windows using a new attack vector to perform Token Kidnapping (http://www.argeniss.com/research/TokenKidnapping.pdf) .
Don't get me wrong MS properly fixed the issues (http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx) detailed in Token Kidnapping presentation but they didn't find/fix all the attack vectors.
With this new attack vector it's still possible to elevate privileges to Local System account from almost any process that has impersonation rights bypassing new Windows services protections such as Per service SID, Write restricted token, etc
Probably I will be presenting the findings at Hackers to Hackers Conference in Brazil (http://www.h2hc.com.br/) in a couple of weeks.


Erwin said...

Do you plan to release the slides now that the conference is over? I'm really interested what new paths you've discovered.

Cesar Cerrudo said...

They won't be released at this time, maybe in a near future, anyways the slides don't tell much, I should write a paper and publish it.