Social Engineering The Windows Kernel: Finding And Exploiting Token Handling Vulnerabilities
by James Forshaw
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let's us access secured resources. The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges, or even compromise the kernel itself. This presentation is about finding and then exploiting the incorrect handling of tokens in the Windows kernel as well as first and third party drivers. Examples of serious vulnerabilities, such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally, I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
Видео Social Engineering The Windows Kernel: Finding And Exploiting Token Handling Vulnerabilities канала Black Hat
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let's us access secured resources. The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges, or even compromise the kernel itself. This presentation is about finding and then exploiting the incorrect handling of tokens in the Windows kernel as well as first and third party drivers. Examples of serious vulnerabilities, such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally, I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
Видео Social Engineering The Windows Kernel: Finding And Exploiting Token Handling Vulnerabilities канала Black Hat
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
![Basics of Windows Security](https://i.ytimg.com/vi/Ed_2BKn3QR8/default.jpg)
![DEF CON 25 - Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level](https://i.ytimg.com/vi/Gu_5kkErQ6Y/default.jpg)
![Does dropping usb drives in parking lots and other places really work? - Blackhat USA 2016](https://i.ytimg.com/vi/ZI5fvU5QKwQ/default.jpg)
![Elevating your Windows Privileges Like a Boss! - Jake Williams](https://i.ytimg.com/vi/SHdM197sbIE/default.jpg)
![How Exactly Is the Human Brain Organized?](https://i.ytimg.com/vi/EEmpK-HpUW0/default.jpg)
![Attacking Encrypted USB Keys the Hard(ware) Way](https://i.ytimg.com/vi/jVKl3GuazEs/default.jpg)
![Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges](https://i.ytimg.com/vi/0U7511Fb4to/default.jpg)
![34C3 - SCADA - Gateway to (s)hell](https://i.ytimg.com/vi/Itgwb3rn7gE/default.jpg)
![34C3 - MQA - A clever stealth DRM-Trojan](https://i.ytimg.com/vi/tGJ5eW-gBxA/default.jpg)
![Kernel Security Is Cool Again](https://i.ytimg.com/vi/GFGJ3e3oj2c/default.jpg)
![](https://i.ytimg.com/vi/WdCbaWzE7fA/default.jpg)
![Cracking the Lens: Targeting HTTP's Hidden Attack-Surface](https://i.ytimg.com/vi/zP4b3pw94s0/default.jpg)
![Abusing Windows Management Instrumentation (WMI)](https://i.ytimg.com/vi/0SjMgnGwpq8/default.jpg)
![Defcon 21 - Google TV or: How I Learned to Stop Worrying and Exploit Secure Boot](https://i.ytimg.com/vi/_FxJJ2eDC_I/default.jpg)
![C# beginners :- Assembly , EXE and DLL](https://i.ytimg.com/vi/lx2tSY4joDg/default.jpg)
![34C3 - Console Security - Switch](https://i.ytimg.com/vi/Ec4NgWRE8ik/default.jpg)
![Black Hat USA 2013 - Lessons from Surviving a 300Gbps Denial of Service Attack](https://i.ytimg.com/vi/w04ZAXftQ_Y/default.jpg)
![Vitamin D and Brain Function](https://i.ytimg.com/vi/vmq_v-HSNMc/default.jpg)
![Windows 10 2 Steps Forward, 1 Step Back Presented By James Forshaw](https://i.ytimg.com/vi/T0oNq9D7CPo/default.jpg)
![34C3 - Spy vs. Spy: A Modern Study Of Microphone Bugs Operation And Detection](https://i.ytimg.com/vi/KfJI8Eu83hg/default.jpg)