HITB Lab: Introduction to Windows Logical Privilege Escalation


More and more code running on Windows is done inside sandboxes or as non-administrators. This makes privilege escalation more important than ever. Memory corruptions are a common way of gaining higher privileges but Windows has been introducing more mitigations making exploitation harder. Logical vulnerabilities on the other hand are typically not affected by mitigations such as ASLR or DEP, but they’re generally more difficult to find. As an added complication they cannot be easily discovered through typical fuzzing approaches. This 2hr workshop will go through an introduction to finding and exploiting these logical privilege escalation vulnerabilities on Windows.

Some of the topics to be presented will be:

* Windows Internals as relevant to privilege escalation
* Types of sandboxes, restricted and low box tokens
* Under the hood
* Attack surface analysis:
* Probing the sandbox and the system
* COM services
* Exposed device drivers
* File and registry vulnerabilities
* How to find them and what to look for
* Exploitation
* Token vulnerabilities
* How to find them and what to look for
* Exploitation
* UAC and unusual unfixed vulnerabilities
* Working examples of based on previous vulnerabilities

Attendees are welcome to participate through the workshop by having access to a Windows 10 32 bit VM installation. Access to all tools and examples demonstrated on the day will be provided.

Location: Track 3 / HITB Labs Date: April 14, 2017 Time: 10:45 am - 12:45 pm James Forshaw