Presentation Title: Token Kidnapping
This presentation is about a new technique for elevating privileges on Windows mostly from services, this technique exploits design weaknesses in Microsoft Windows XP, 2003, Vista and even Windows 2008. While in Windows vista and 2008 many new security protections have been added, because the weaknesses some of the new protection mechanisms are almost useless.
It will be explained how it’s possible in Windows XP and 2003 to elevate privileges to LOCAL SYSTEM from any process that has impersonation rights, and in Windows Vista and Windows 2008 how to elevate privileges to LOCAL SYSTEM from processes running under NETWORK SERVICE and LOCAL SERVICE accounts demonstrating that running code under NETWORK SERVICE or LOCAL SERVICE is non sense since always it’s possible to end up running code under LOCAL SYSTEM account. It will be showed 0day code for elevating privileges in SQL Server and Internet Information Services.
Cesar Cerrudo is a security researcher & consultant specialized in application security.
Cesar is running his own company, Argeniss (www.argeniss.com). Regarded as a leading application security researcher, Cesar is credited with discovering and helping fix dozens of vulnerabilities in applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database, application security, attacks and exploitation techniques and he has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest and WebSec. Cesar collaborates and he is regulary quoted on online publications such as eWeek, ComputerWorld, etc.