Social Engineering the Windows Kernel - Finding and Exploiting Token Handling Vulnerabilities

Explore the intricacies of token handling vulnerabilities in the Windows kernel through this Black Hat conference talk. Delve into social engineering techniques applied to operating system security, focusing on Access Tokens and their role in system authentication. Learn about the kernel's capabilities for identifying fake tokens and the potential consequences when these checks are bypassed. Examine real-world examples of serious vulnerabilities, including CVE-2015-0002 and CVE-2015-0062, and gain insights into exploitable patterns for conducting your own security reviews. Discover methods for exploiting token handling vulnerabilities to elevate local privileges, break out of application sandboxes, and potentially compromise the kernel. Cover key topics such as Windows security components, impersonation security levels, named pipes, NTLM negotiation, and Services for User (S4U). Analyze how kernel code interacts with tokens, common pitfalls in token handling, and recent changes in Windows 10 security measures. Gain valuable knowledge for identifying and mitigating token-related security risks in Windows environments.

Obligatory Background Slide
Windows Security Components
Security Reference Monitor
Token Categories
Impersonation Security Level
Named Pipes
NTLM Negotiation
Services For User (S4U)
How the Kernel Code Interacts with Tokens
Not Checking Impersonation Level
Crafted Subject Context
System Thread Impersonation
Leaky Tokens
Incorrect Token Duplication
Windows 10 Changes
Windows 10 Elevated Token Impersonation
Conclusions