YoVDO

Social Engineering the Windows Kernel - Finding and Exploiting Token Handling Vulnerabilities

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cybersecurity Courses Exploit Development Courses Privilege Escalation Courses Kernel Exploitation Courses Windows Kernel Courses

Course Description

Overview

Explore the intricacies of token handling vulnerabilities in the Windows kernel through this Black Hat conference talk. Delve into social engineering techniques applied to operating system security, focusing on Access Tokens and their role in system authentication. Learn about the kernel's capabilities for identifying fake tokens and the potential consequences when these checks are bypassed. Examine real-world examples of serious vulnerabilities, including CVE-2015-0002 and CVE-2015-0062, and gain insights into exploitable patterns for conducting your own security reviews. Discover methods for exploiting token handling vulnerabilities to elevate local privileges, break out of application sandboxes, and potentially compromise the kernel. Cover key topics such as Windows security components, impersonation security levels, named pipes, NTLM negotiation, and Services for User (S4U). Analyze how kernel code interacts with tokens, common pitfalls in token handling, and recent changes in Windows 10 security measures. Gain valuable knowledge for identifying and mitigating token-related security risks in Windows environments.

Syllabus

Obligatory Background Slide
Windows Security Components
Security Reference Monitor
Token Categories
Impersonation Security Level
Named Pipes
NTLM Negotiation
Services For User (S4U)
How the Kernel Code Interacts with Tokens
Not Checking Impersonation Level
Crafted Subject Context
System Thread Impersonation
Leaky Tokens
Incorrect Token Duplication
Windows 10 Changes
Windows 10 Elevated Token Impersonation
Conclusions


Taught by

Black Hat

Related Courses

Attack on Titan M, Reloaded - Vulnerability Research on a Modern Security Chip
Black Hat via YouTube
Attacks From a New Front Door in 4G & 5G Mobile Networks
Black Hat via YouTube
AAD Joined Machines - The New Lateral Movement
Black Hat via YouTube
Better Privacy Through Offense - How to Build a Privacy Red Team
Black Hat via YouTube
Whip the Whisperer - Simulating Side Channel Leakage
Black Hat via YouTube