A security researcher from Colombia He discovered one way (0Day) to have administrator rights and boot persistence on every computer that uses Windows.
The surprising thing is that the technique was publicly released for the first time in December of 2017, but was never mentioned by the media despite its seriousness.
Also, this particular 0Day does not seem to have been taken into account by malware developers.
0Day was discovered by Sebastián Castro, a CSL security researcher. The exploit targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).
RID is a code added to the end of each account's security identifier (SID from security identifier) and describes the team user rights. There are many RIDs available, but the most common are 501 for the standard guest account and 500 for administrator accounts.
Castro, with the help of CSL CEO Pedro García, discovered that the keys registery store information for each Windows account. From there he could modify the RID associated with a particular account and grant it a different RID from the admins group.
The technique does not allow a hacker to remotely infect a computer unless it is exposed to the Internet without a password.
Of course we should mention that there are also cases where a hacker can access a system with someone malware. In case he gains access with single user rights, it is now very simple to become an administrator with full access to the Windows system.
Let's also mention that registry keys work immediately from boot persistence. Thus, all modifications made to the RID of accounts remain permanent until they are corrected.
Η επίθεση είναι πολύ αξιόπιστη. Δοκιμάστηκε και βρέθηκε ότι λειτουργεί άψογα σε όλες τις εκδόσεις των Windows από τα XP μέχρι τα Windows 10 και από τον Server & Hosting 2003 μέχρι τον Server 2016. Θεωρητικά και οι παλαιότερες εκδόσεις θα πρέπει να είναι ευάλωτες.
"It is not so easy to detect the exploit, because this attack could be deployed using OS resources without causing any alert to the victim," Castro says.
We can discover the attack on RID by examining the [Windows] registry and checking for inconsistencies in SAM (Security Account Manager).
If the guest account's SID has a RID of 500, the guest account has administrator rights.
______________
- Online Piracy: The story of piracy before the World Wide Web
- Google new privacy settings
- Copyright Directive in Europe: What does this mean?
- Windows Disable unnecessary services