12-02, 11:40–12:20 (Africa/Johannesburg), Track 3
I found a local privilege escalation bug in a popular enterprise teleconferencing software on Windows, and would like to share my journey, and the technique I discovered that prevented Defender from blocking the exploitation of it.
Recently, I was given the task to obtain NT AUTHORITY\SYSTEM on an enterprise laptop, from a low-privileged employee account. While it may sound easy, on a fully patched Windows system it’s often hard, so much so that Zerodium will give you $80K for a general Windows LPE.
Luckly, I didn’t need to exploit Windows itself - the system came installed with some enterprise software. It had a telecoms app that had a checkered past - various researchers had found privilege escalation bugs in previous versions of it and posted blogs and POCs about it. The system was running the latest version of the telecoms app, whom the prior researchers had given the clean bill of health.
After several days playing with procmon and Ghidra, I found a way to exploit the upgrade functionality of the software, so that I could change the permissions of any file on the Windows system. This would allow an attacker to overwrite any binary file they know will be executed at some point as SYSTEM with a malicious binary of their choosing, allowing them to obtain SYSTEM privileges.
The exploit made use of Windows symlinks, using several of the techniques James Forshaw had initially disclosed. For instance, James disclosed a technique in which an unprivileged user on a Windows system could make a symlink, using the Windows object manager. Unfortunately, Windows Defender these days block the use and creation of these symlinks, under the banner of malicious behavior.
After some more coffee and time, I found a way to exploit the telecom software which would not be blocked by Defender, by replacing the James Forshaw style symlinks with a chain of directory junctions that would, at some point in time, change where they pointed towards. This technique will be useful for attackers searching for new LPE bugs in the future.
To wrap it all up, I found a way to start an executable file of the telecom app as SYSTEM. This meant I could run the exploit to change the permissions of this binary, replace it with my own malicious one, and then invoke it to run as SYSTEM.
Key takeaways:
• How symlink based LPE work
• How to make use of directory junction technique
Reino likes to hack things, and drink coffee.