0Day for all Windows (XP - Windows 10 - Server)

A security researcher from Colombia He discovered a way (0Day) to have administrator rights and boot persistence in each using Windows.

The surprising thing is that the technique was publicly released for the first time in December of 2017, but was never mentioned by the media despite its seriousness.

Also, this particular 0Day does not seem to have been taken into account by malware developers.

0Day was discovered by Sebastián Castro, a CSL security researcher. The exploit targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).

RID is a code added at the end of the security IDs of each account (SID from the security identifier) ​​and describes the user's rights group. There are many RIDs available, but the most common are 501 for the standard guest account and 500 for Administrator accounts.

Castro, with the help of CSL CEO Pedro García, discovered that registry keys store information for each Windows account. From there, he could modify the RID associated with a particular account and give him a different RID than the manager group.

The technique does not allow a hacker to remotely infect a computer unless it is exposed to without password.

Of course we should mention that there are also cases where a hacker can have access to someone with some malware. In case he gains access with simple user rights, it is now very simple to become an administrator with full access to the Windows system.

Let's also mention that registry keys work immediately from boot persistence. Thus, all modifications made to the RID of accounts remain permanent until they are corrected.

The attack is very reliable. It has been tested and found to work flawlessly on all versions of Windows from XP to and from Server 2003 to Server 2016. In theory, older versions should also be vulnerable.

"It is not so easy to detect the exploit, because this attack could be developed using e.g of the OS without causing any notification to the victim,” Castro says.

We can discover the attack on RID by examining the [Windows] registry and checking for inconsistencies in SAM (Security Account Manager).

If the guest account's SID has a RID of 500, the guest account has administrator rights.

Also mention (without suggesting) that this particular exploit can help you get an administrator account on systems that have put you as a user.

______________

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).