Privilege escalation is a required step for an attacker in order to get full control of a system starting from a lower privileged access.
In Windows there are many ways to reach this goal. The first part of the talk will be focused on showing all the recent techniques used to do privilege escalation starting from a service account. The second part is dedicated to a new 0day in NTLM relay attack which we reported to MSRC and will be fixed in April, 13th.
This scenario is quite common when attacking web applications hosted on Windows servers. When a web server is compromised (through code execution or arbitrary file write) it is possible to run commands on behalf of the web server that is running as a service. MSSQL servers are another example of services that could be compromised by a malicious attacker.
WSH (Windows Service Hardening) is a feature enabled since Windows Vista with the goal of hardening services. These “isolation” techniques are often not applied and, in some cases, can be abused too. As an example, the famous Rotten/JuicyPotato exploit uses the DCOM/NTLM reflection vulnerability.
Those techniques require SeImpersonatePrivilege which is considered a God privilege by MS. The impersonation privilege is assigned by default to any service account and that opens a hole that could be abused by the attackers in order to escalate privileges. MS does not consider this boundary (going from SERVICE with SeImpersonate to SYSTEM ) as a security boundary but just a safety boundary. For this reason, those vulnerabilities are classified as “won’t fix” by MS.
We will describe all the recent techniques, showing how it is still possible to escalate privileges from SERVICE to SYSTEM in multiple ways.
Even if NTLM relaying is a quite old technique but always current, we recently discovered a new attack vector based on our previous researches discussed in this talk which led to privilege escalations when combined with relaying, the RemotePotato0.