Oct 27, 2009

Token Kidnapping's Revenge

Finally I got some free time to take a look at Windows for security issues, I was initialy amazed with Windows 7 and Windows 2008 R2 they looked really solid but after some time I started to find some issues.
These issues are not really dangerous (depending on the scenario) but allow to continue exploiting Windows using a new attack vector to perform Token Kidnapping (http://www.argeniss.com/research/TokenKidnapping.pdf) .
Don't get me wrong MS properly fixed the issues (http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx) detailed in Token Kidnapping presentation but they didn't find/fix all the attack vectors.
With this new attack vector it's still possible to elevate privileges to Local System account from almost any process that has impersonation rights bypassing new Windows services protections such as Per service SID, Write restricted token, etc
Probably I will be presenting the findings at Hackers to Hackers Conference in Brazil (http://www.h2hc.com.br/) in a couple of weeks.