A security researcher from Colombia He discovered one way (0Day) to have administrator rights and boot persistence on every computer that uses Windows.
The surprising thing is that the technique was publicly released for the first time in December of 2017, but was never mentioned by the media despite its seriousness.
Also, this particular 0Day does not seem to have been taken into account by malware developers.
0Day was discovered by Sebastián Castro, a CSL security researcher. The exploit targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).
The RID is a code that is added to the end of the security IDs of each account (SID by security identifier) and describes the user's permission group. There are many RIDs available, but the most common are 501 for the standard guest account and 500 for administrator accounts.
Castro, with the help of CSL CEO Pedro García, discovered that wrenches log information for each Windows account. From there he could modify the RID associated with a particular account and give it a different RID from the admin group.
The technique does not allow a hacker to remotely infect a computer unless it is exposed to the Internet without a password.
Of course we should mention that there are cases where a hacker can access a system with some malware. In case it gains access with single user privileges, it is very simple to become an administrator with full access to the Windows system.
We should also mention that the registry keys work directly from startup (boot persistence). Thus, all changes made to account RIDs remain permanent until corrected.
The attack is very credible. Tested and found to work perfectly on all versions of Windows from XP to Windows 10 and from Server 2003 to Server 2016. Theoretically and earlier versions should be vulnerable.
"It is not so easy to detect the exploit, because this attack could be developed using e.gconditions of the OS without causing any notice to the victim," Castro says.
We can discover the attack on RID by examining the [Windows] registry and checking for inconsistencies in SAM (Security Account Manager).
If the guest account's SID has a RID of 500, the guest account has administrator rights.
______________
- Online Piracy: The story of piracy before the World Wide Web
- Google new privacy settings
- Copyright Directive in Europe: What does this mean?
- Windows Disable unnecessary services