Social Engineering the Windows Kernel - Finding and Exploiting Token Handling Vulnerabilities
Offered By: Black Hat via YouTube
Course Description
Overview
Explore the intricacies of token handling vulnerabilities in the Windows kernel through this Black Hat conference talk. Delve into social engineering techniques applied to operating system security, focusing on Access Tokens and their role in system authentication. Learn about the kernel's capabilities for identifying fake tokens and the potential consequences when these checks are bypassed. Examine real-world examples of serious vulnerabilities, including CVE-2015-0002 and CVE-2015-0062, and gain insights into exploitable patterns for conducting your own security reviews. Discover methods for exploiting token handling vulnerabilities to elevate local privileges, break out of application sandboxes, and potentially compromise the kernel. Cover key topics such as Windows security components, impersonation security levels, named pipes, NTLM negotiation, and Services for User (S4U). Analyze how kernel code interacts with tokens, common pitfalls in token handling, and recent changes in Windows 10 security measures. Gain valuable knowledge for identifying and mitigating token-related security risks in Windows environments.
Syllabus
Obligatory Background Slide
Windows Security Components
Security Reference Monitor
Token Categories
Impersonation Security Level
Named Pipes
NTLM Negotiation
Services For User (S4U)
How the Kernel Code Interacts with Tokens
Not Checking Impersonation Level
Crafted Subject Context
System Thread Impersonation
Leaky Tokens
Incorrect Token Duplication
Windows 10 Changes
Windows 10 Elevated Token Impersonation
Conclusions
Taught by
Black Hat
Related Courses
Attack on Titan M, Reloaded - Vulnerability Research on a Modern Security ChipBlack Hat via YouTube Attacks From a New Front Door in 4G & 5G Mobile Networks
Black Hat via YouTube AAD Joined Machines - The New Lateral Movement
Black Hat via YouTube Better Privacy Through Offense - How to Build a Privacy Red Team
Black Hat via YouTube Whip the Whisperer - Simulating Side Channel Leakage
Black Hat via YouTube