0Day for all Windows (XP - Windows 10 - Server)

A security researcher from Colombia He discovered one way (0Day) to have administrator rights and boot persistence on every computer that uses Windows.

The surprising thing is that the technique was publicly released for the first time in December of 2017, but was never mentioned by the media despite its seriousness.

Also, this particular 0Day does not seem to have been taken into account by malware developers.

0Day was discovered by Sebastián Castro, a CSL security researcher. The exploit targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).

The RID is a code that is added to the end of the security IDs of each account (SID by identifier) ​​and describes the user's permission group. There are many RIDs available, but the most common are 501 for the standard guest account and 500 for administrator accounts.

Castro, with the help of CSL CEO Pedro García, discovered that log information for each Windows account. From there he could modify the RID associated with a particular account and give it a different RID from the admin group.

The technique does not allow a hacker to remotely infect a computer unless it is exposed to the Internet without a password.

Of course we should mention that there are cases where a hacker can access a system with some malware. In case it gains access with single user privileges, it is very simple to become an administrator with full access to the Windows system.

We should also mention that the keys work directly from startup (boot persistence). Thus, all changes made to account RIDs remain permanent until corrected.

The attack is very credible. Tested and found to work perfectly on all versions of Windows from XP to Windows 10 and from Server 2003 to Server 2016. Theoretically and earlier versions should be vulnerable.

"It is not so easy to detect the exploit, because this attack could be developed using e.g of the OS without causing any to the victim," Castro says.

We can discover the attack on RID by examining the [Windows] registry and checking for inconsistencies in SAM (Security Account Manager).

If the guest account's SID has a RID of 500, the guest account has administrator rights.

Also mention (without suggesting) that this particular exploit can help you get an administrator account on systems that have put you as a user.

______________

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.

0day2017exploitI'm sureKeysmedium

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).