windows privilege escalations
play

Windows Privilege Escalations: Still abusing Service Accounts to get - PowerPoint PPT Presentation

Sep 22, 2022 •287 likes •893 views

Windows Privilege Escalations: Still abusing Service Accounts to get SYSTEM privileges Antonio Cocomazzi, Rome, September 27 th 2020 whoami System Engineer @ SentinelOne Passionate about IT security and constantly trying to learn and

  1. Windows Privilege Escalations: Still abusing Service Accounts to get SYSTEM privileges Antonio Cocomazzi, Rome, September 27 th 2020

  2. whoami ➔ System Engineer @ SentinelOne ➔ Passionate about IT security and constantly trying to learn and experiment new cool stuff, especially on Windows Systems @splinter_code ➔ CTF player and proud member of @antonioCoco @DonkeysTeam

  3. Why this talk ➔ Windows Service Accounts usually holds “impersonation privileges” which can be (easily) abused for privilege escalation once compromised ➔ “Rotten/JuicyPotato” exploits do not work anymore in latest Windows releases ➔ Any chance to get our potatoes alive and kicking, again?

  4. Agenda - Windows Services - Windows Service Accounts - WSH (Windows Service Hardening) - Impersonation - From Service to System - RogueWinRm - Network Service Impersonation - PrintSpoofer - RoguePotato - Juicy2 - Chimichurri Reloaded - Mitigations - Conclusion

  5. Windows Services ➔ What is a service? ◆ Particular process that runs in a separate Session and without user interaction. ◆ The classic Linux daemon, but for windows ➔ Why so important? ◆ Most of the Windows core components are run through a service ◆ DCOM, RPC, SMB, IIS, MSSQL, etc … ◆ Being daemons they will be an exposed attack surface ➔ Must be run with a Service Account User ➔ Configurations are under HKLM\SYSTEM\CurrentControlSet\Services

  6. Windows Services ➔ How you recognize a service? ◆ Child process of services.exe (SCM) ◆ Process in Session 0 ◆ From source code perspective: SvcInstall(), SvcMain(), SvcCtrlHandler(), SvcInit ()… ➔ How the NT Kernel recognize a service… ◆ S-1-5-6 Service A group that includes all security principals that have logged on as a service.

  7. Windows Service Accounts ➔ Windows Service Accounts have the password managed internally by the operating system ➔ Service Account types: ◆ Local System ◆ Local Service / Network Service Accounts ◆ Managed Service & Virtual Accounts ➔ Allowed to logon as a Service, logon type 5

  8. Windows Service Accounts

  9. Windows Service Hardening (WSH) ➔ Until Windows Server 2003/XP every service was run as SYSTEM ➔ If you compromise a service you have compromised also the whole machine ➔ WSH to the rescue, at least that was the initial goal ➔ Great references by @tiraniddo [1] and @cesarcer [2] [1] https://www.tiraniddo.dev/2020/01/empirically-assessing-windows-service.html [2] https://downloads.immunityinc.com/infiltrate-archives/WindowsServicesHacking.pdf

  10. Windows Service Hardening (WSH) ➔ Limited Service Accounts ◆ Introduction of the LOCAL SERVICE and NETWORK SERVICE accounts, less privileges than SYSTEM account. ➔ Reduced Privileges ◆ Services run only with specified privileges ( least privilege ) ➔ Write-Restricted Token ➔ Per-Service SID ◆ Service access token has dedicated and unique owner SID . No SID sharing across different services ➔ Session 0 Isolation ➔ System Integrity Level ➔ UIPI (User interface privilege isolation)

  11. Impersonation ➔ “Impersonation is the ability of a thread to execute in a security context that is different from the context of the process that owns the thread.” MSDN ➔ Basically it allows to execute code on behalf of another user ➔ Token forged by impersonation are called secondary token or impersonation token ➔ Your process must hold the SeImpersonatePrivilege (“Impersonate a Client After Authentication”) to perform the impersonation ➔ It is the prerequisite for all the techniques will be shown

  12. Impersonation ➔ Impersonation assigns a token to a thread , replace the token used in access checks for the majority of system calls [1] [1] https://conference.hitb.org/hitbsecconf2017ams/materials/D2T3%20-%20James%20Forshaw%20- %20Introduction%20to%20Logical%20Privilege%20Escalation%20on%20Windows.pdf

  13. Impersonation Exploit Compromised Service Copy Primary Token Primary Token Token User1 User1 SeImpersonate … SeImpersonate … Main Thread Main Thread Inherit Token ImpersonateLoggedOnUser() Create Process() Impersonation Token Impersonation Token void void

  14. Impersonation Exploit Compromised Service Copy Primary Token Primary Token Token User1 User1 SeImpersonate … SeImpersonate … Main Thread Main Thread Inherit Token ImpersonateLoggedOnUser() Create Process() Impersonation Token Impersonation Token void user2

  15. Impersonation Exploit Compromised Service Copy Primary Token Primary Token Token User1 User1 SeImpersonate … SeImpersonate … Main Thread Main Thread ImpersonateLoggedOnUser() Create Process() Impersonation Token Impersonation Token void user2

  16. Impersonation Exploit Privileged Process Compromised Service Copy Primary Token Primary Token Create Primary Token Token User1 User1 Process() user2 SeImpersonate … SeImpersonate … Main Thread Main Thread ImpersonateLoggedOnUser() Create Process() Impersonation Token Impersonation Token void user2

  17. Impersonation Exploit Privileged Process Compromised Service Copy Primary Token Primary Token Create Primary Token Token User1 User1 Process() user2 SeImpersonate … SeImpersonate … Main Thread Main Thread ImpersonateLoggedOnUser() Create Process() Impersonation Token Impersonation Token void user2 COMMON MISTAKE!

  18. Impersonation ➔ Impersonation is specific to threads ➔ Creating a process with a specific token gives more freedom ➔ It is possible to create a process with a specific token using only the SeImpersonatePrivilege, but... ➔ It has nothing to do with the internal working of Impersonation. It just make an RPC call on the seclogon service. CreateProcessWithToken() – > SlrCreateProcessWithLogon() that calls internally CreateProcessAsUser() ➔ You can also call directly CreateProcessAsUser() without using the seclogon service. You need SeAssignPrimaryToken privilege that is normally assigned to various windows service accounts

  19. Impersonation ➔ You are wondering now: what is the link between Services and the impersonation privileges? 

  20. From Service to SYSTEM

  21. From Service to System: Disclaimer ➔ We tried to report this kind of vulnerabilities to MS before the release, but this is the result… ➔ What MS think about the impersonation privileges [1]: ◆ 22/11/2019 – MS answered “game over”, stating that elevating from a Local Service process (with SeImpersonate ) to SYSTEM is an “expected behavior”, referring to this MS public page ➔ So after the first attempt to report, no one bothered anymore MS for those specific issues… ¯ \_( ツ )_/¯ [1] Disclosure timeline in https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/

  22. Side note: The easiest way to EOP from Service to SYSTEM ➔ Did you know? Starting from Windows 10 1803/Win Server 2019 up to September 2019 Security Update it was possible for “SERVICE” accounts to abuse “UsoSvc” and get SYSTEM priv!! ➔ Once you had compromised a Service account, all you needed to do from a cmd/powershell was: sc stop UsoSvc & sc configure UsoSvc binpath= c:\myevilprog.exe & sc start UsoSvc

  23. Side note: The easiest way to EOP from Service to SYSTEM

  24. RogueWinRm ➔ Release Date: 6 December 2019 ➔ Authors: @decoder_it - @splinter_code – 0xEA (@DonkeysTeam) ➔ Brief Description ◆ Force the BITS service to authenticate to a Rogue WinRm HTTP server in a NTLM challenge/response authentication resulting in a SYSTEM token stealing. ➔ Requirements ◆ WinRm Port (5985) available for listening ◆ By default impact only Windows clients, no Windows Servers

  25. RogueWinRm ➔ When a BITS object get initialized a weird behavior happens ➔ BITS object could be created through a DCOM activation using its CLSID or by a simple “ bitsadmin /list ”

  26. RogueWinRm ➔ RogueWinRm is a minimal webserver that performs NTLM authentication over HTTP [1] [1] https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

  27. RogueWinRm

  28. Network Service Impersonation ➔ Release Date: 25 April 2020 ➔ Authors: @tiraniddo ➔ Brief Description ◆ If you can trick the “Network Service” account to write to a named pipe over the “network” and are able to impersonate the pipe, you can access the tokens stored in RPCSS service (which is running as Network Service and contains a pile of treasures) and “steal” a SYSTEM token. ➔ Requirements ◆ SeImpersonate privilege is not enough. You need also a token from “Network Service” account ◆ SMB running

  29. Network Service Impersonation ➔ Lsass.exe has an internal mechanism to save and reuse created tokens ➔ This can be abused in the case of network authentication to get a token with a more powerful LUID ➔ Only local network authentication are impacted by this behavior ➔ SMB supports local network authentication + Named pipes supports network authentication token = the perfect combination ➔ From NETWORK SERVICE run a pipe server and impersonate a loopback authentication over smb, magic will happen

  30. Network Service Impersonation Blog: https://www.tiraniddo.dev/2020/04/sharing-logon-session-little-too-much.html Blog: https://decoder.cloud/2020/05/04/from-network-service-to-system/ POC: https://github.com/decoder-it/NetworkServiceExploit

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix and Windows Michal Knapkiewicz, May 2016 whoami Senior Consultant at Advanced Security

884 views • 51 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Thomas Garnier SkyRecon Systems Recon 2008 05/23/2008 Overview Introduction LPC

Thomas Garnier SkyRecon Systems Recon 2008 05/23/2008 Overview Introduction LPC

Windows privilege escalation Thomas Garnier SkyRecon Systems Recon 2008 05/23/2008 Overview Introduction LPC interface details MS08-002: LSASS privilege escalation Demo: LSASS exploitation Protection against LPC privilege

681 views • 46 slides
Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for dominant purpose of civil or criminal litigation Relate to litigation which is pending, reasonably contemplated, or existing Legal Advice Privilege:

532 views • 20 slides
Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week How to build secure systems Least privilege and privilege separation

578 views • 46 slides
Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo Ruxcon 2015 1 Obligatory

Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo Ruxcon 2015 1 Obligatory

Windows 10 2 Steps Forward, 1 Step Back James Forshaw @tiraniddo Ruxcon 2015 1 Obligatory Background Slide Researcher in Googles Project Zero team Specialize in Windows Especially local privilege escalation Never met

792 views • 62 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited Non-Lawyer Tax Advisors Nicole Wilson-Rogers, Annette Morgan and Dale Pinto + Structure Snapshot: Argument advanced in the paper Current Privileges

422 views • 17 slides
Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests Diverge? Navigating the Complexities of Joint Representations During Litigation, Spinoffs,

889 views • 42 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Presenting a live 90-minute webinar with interactive Q&A Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client Privilege, Self-Critical Analysis Privilege, Work Product Doctrine and More TUESDAY, MARCH

471 views • 36 slides
Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to access or modify a resource Principle of least privilege A

429 views • 39 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
Bayesian & Markov Networks: A unified view Probabilistic Graphical Models (10-

Bayesian & Markov Networks: A unified view Probabilistic Graphical Models (10-

School of Computer Science Bayesian & Markov Networks: A unified view Probabilistic Graphical Models (10- Probabilistic Graphical Models (10 -708) 708) Lecture 3, Sep 19, 2007 Receptor A Receptor A X 1 X 1 X 1 Receptor B Receptor B

615 views • 13 slides
ARTIST2 ARTIST2 Graduate Course on Embedded Systems RT-Linux Motor Controller Michal Sojka,

ARTIST2 ARTIST2 Graduate Course on Embedded Systems RT-Linux Motor Controller Michal Sojka,

ARTIST2 ARTIST2 NoE on Embedded Systems Design ECS Graduate Course Valencia, Spain. April 58, 2005 ARTIST2 ARTIST2 Graduate Course on Embedded Systems RT-Linux Motor Controller Michal Sojka, Ondej pinka Department of Control

644 views • 20 slides
Principles of Programming Languages h"p://www.di.unipi.it/~andrea/Dida2ca/PLP-16/ Prof.

Principles of Programming Languages h"p://www.di.unipi.it/~andrea/Dida2ca/PLP-16/ Prof.

Principles of Programming Languages h"p://www.di.unipi.it/~andrea/Dida2ca/PLP-16/ Prof. Andrea Corradini Department of Computer Science, Pisa Lesson 13 A Quick Intro to LLVM What is LLVM? LLVM is a compiler infrastructure designed as

581 views • 17 slides
Degree Spectra of Relations on a Cone Matthew Harrison-Trainor University of California, Berkeley

Degree Spectra of Relations on a Cone Matthew Harrison-Trainor University of California, Berkeley

Degree Spectra of Relations on a Cone Matthew Harrison-Trainor University of California, Berkeley Vienna, July 2014 Matthew Harrison-Trainor Degree Spectra of Relations on a Cone The main question Setting: A a computable structure, and R A

453 views • 16 slides
RMI and Network Objects Our goal now is to look at some current distributed object systems. We

RMI and Network Objects Our goal now is to look at some current distributed object systems. We

RMI and Network Objects Our goal now is to look at some current distributed object systems. We start with systems that preserve the single-language model of Emerald, with uniform garbage collection: RMI for Java Network Objects for

692 views • 17 slides
Safe Java Native Interface S J v N v c Gang Tan*, Andrew W. Appel # , Srimat Chakradhar ,

Safe Java Native Interface S J v N v c Gang Tan*, Andrew W. Appel # , Srimat Chakradhar ,

Safe Java Native Interface S J v N v c Gang Tan*, Andrew W. Appel # , Srimat Chakradhar , Anand Raghunathan , Srivaths Ravi , and Daniel Wang # *Boston College # Princeton University NEC Labs America Heterogeneous Programming

522 views • 33 slides
IBM X-Force signatures related to ICS related products and protocols Provides the protection for

IBM X-Force signatures related to ICS related products and protocols Provides the protection for

OT Seize the last chance of preventing OT Cyberattack proactively Gwen Hsieh Sr. Offering Manger, IBM Security IBM X-Force signatures related to ICS related products and protocols

220 views • 10 slides
Commercial meets Open Source Tuning STATISTICA with R Tuning STATISTICA with R Christian H.

Commercial meets Open Source Tuning STATISTICA with R Tuning STATISTICA with R Christian H.

Commercial meets Open Source Tuning STATISTICA with R Tuning STATISTICA with R Christian H. Wei STATISTICA and R Christian H. Wei Introduction Introduction Introduction Introduction STATISTICA and R Christian H.

798 views • 59 slides

More recommend