A security researcher from Colombia He discovered a way (0Day) to have administrator rights and boot persistence in each computer using Windows.
The surprising thing is that the technique was publicly released for the first time in December of 2017, but was never mentioned by the media despite its seriousness.
Also, this particular 0Day does not seem to have been taken into account by malware developers.
0Day was discovered by Sebastián Castro, a CSL security researcher. The exploit targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).
RID is a code added at the end of the security IDs of each account (SID from the security identifier) and describes the user's rights group. There are many RIDs available, but the most common are 501 for the standard guest account and 500 for Administrator accounts.
Castro, with the help of CSL CEO Pedro García, discovered that registry keys store information for each Windows account. From there, he could modify the RID associated with a particular account and give him a different RID than the manager group.
The technique does not allow a hacker to remotely infect a computer unless it is exposed to Internet without password.
Of course we should mention that there are also cases where a hacker can have access to someone system with some malware. In case he gains access with simple user rights, it is now very simple to become an administrator with full access to the Windows system.
Let's also mention that registry keys work immediately from boot persistence. Thus, all modifications made to the RID of accounts remain permanent until they are corrected.
The attack is very reliable. It has been tested and found to work flawlessly on all versions of Windows from XP to Windows 10 and from Server 2003 to Server 2016. In theory, older versions should also be vulnerable.
"It is not so easy to detect the exploit, because this attack could be developed using e.gconditions of the OS without causing any notification to the victim,” Castro says.
We can discover the attack on RID by examining the [Windows] registry and checking for inconsistencies in SAM (Security Account Manager).
If the guest account's SID has a RID of 500, the guest account has administrator rights.
______________
- Online Piracy: The story of piracy before the World Wide Web
- Google new privacy settings
- Copyright Directive in Europe: What does this mean?
- Windows Disable unnecessary services