SlideShare a Scribd company logo

Abusing Symlinks on Windows

OWASP Delhi
OWASP Delhi

This document summarizes a presentation about abusing symbolic links on Windows. It discusses how symbolic links are implemented for object manager objects, registry keys, and NTFS files. It outlines different classes of vulnerabilities like resource overwrite, information disclosure, and time-of-check/time-of-use issues. Examples are given of vulnerabilities in Internet Explorer and the Windows Task Scheduler. Exploitation techniques like using object manager symlinks, mount points, and OPLOCKs are also described.

Technology
1 of 99
Download to read offline
A Link to the Past Abusing Symbolic Links on Windows James Forshaw @tiraniddo 1
James Forshaw @tiraniddo Obligatory Background Slide ● Researcher in Google’s Project Zero team ● Specialize in Windows ○ Especially local privilege escalation ● Never met a logical vulnerability I didn’t like https://www.flickr.com/photos/barretthall/2478623520/ 2
James Forshaw @tiraniddo What I’m Going to Talk About ● Implementation of Symbolic Links on Windows ● Exploitable Bug Classes ● Example vulnerabilities ● Offensive exploitation tricks 3
James Forshaw @tiraniddo Symbolic Links 4
James Forshaw @tiraniddo Dangers of Symbolic Links 5
James Forshaw @tiraniddo Resource Creation or Overwrite 6 Privileged Application pathtoresource Write to resource sensitivepath Symbolic Link
James Forshaw @tiraniddo Information Disclosure 7 Privileged Application pathtoresource Read Resource sensitivepath Symbolic Link Disclosure Unprivileged Application
James Forshaw @tiraniddo Time of Check/Time of Use 8 Privileged Application pathtoresource Check and use Resource validfile Check Symbolic Link maliciousfile Use Symbolic Link
James Forshaw @tiraniddo History of Windows Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links 9
James Forshaw @tiraniddo History of Windows Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions 10
James Forshaw @tiraniddo History of Windows Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links 11
James Forshaw @tiraniddo Object Manager Symbolic Links 12
James Forshaw @tiraniddo Named Objects 13 IO/File ??C:Windowsnotepad.exe DeviceNamedPipemypipe Registry RegistryMachineSoftware Semaphore BaseNamedObjectsMySema
James Forshaw @tiraniddo Creating Object Manager Symbolic Links HANDLE CreateSymlink(LPCWSTR linkname, LPCWSTR targetname) { OBJECT_ATTRIBUTES obj_attr; UNICODE_STRING name, target; HANDLE hLink; RtlInitUnicodeString(&name, linkname); RtlInitUnicodeString(&target, targetname); InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr); NtCreateSymbolicLinkObject(&hLink, SYMBOLIC_LINK_ALL_ACCESS, &obj_attr, &target); return hLink; } 14
James Forshaw @tiraniddo Parsing Name Object Manager Reparsing NtOpenSemaphore 15 MyObjectsGlobalMySema
James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName 16 Parsing Name MyObjectsGlobalMySema
James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName 17 Parsing Name MyObjectsGlobalMySema Current Component
James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName 18 Parsing Name MyObjectsGlobalMySema Current Component
James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName ObpParseSymbolicLink 19 Parsing Name MyObjectsGlobalMySema Current Component Global → BaseNamedObjects
James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName ObpParseSymbolicLink 20 Parsing Name MyObjectsGlobalMySema BaseNamedObjectsMySema Global → BaseNamedObjects
James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName ObpParseSymbolicLink STATUS_REPARSE 21 Parsing Name BaseNamedObjectsMySema
James Forshaw @tiraniddo Abusing Object Manager Symbolic Links ● Most obvious attack is object squatting ○ Redirect privileged object creation to another name ○ Open named pipes for attacking impersonation ○ Shadowing ALPC ports ● File symlink attacks perhaps more interesting! 22
James Forshaw @tiraniddo Example Vulnerability IE EPM MOTWCreateFile Information Disclosure 23
James Forshaw @tiraniddo IE Shell Broker MOTWCreateFile 24 HANDLE MOTWCreateFile(PCWSTR FileName, ...) { if (FileHasMOTW(FileName) || IsURLFile(FileName)) { return CreateFile(FileName, GENERIC_READ, ...); } } BOOL IsURLFile(PCWSTR FileName) { PCWSTR extension = PathFindExtension(FileName); return wcsicmp(extension, L".url") == 0; }
James Forshaw @tiraniddo Win32 Path Support Path Description somepath Relative path to current directory c:somepath Absolute directory .c:somepath Device path, canonicalized ?c:somepath Device path, non- canonicalized Interesting!
James Forshaw @tiraniddo Win32 to Native NT File Paths 26 .c:somepathWin32 Path
James Forshaw @tiraniddo Win32 to Native NT File Paths 27 .c:somepath ??c:somepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName
James Forshaw @tiraniddo Win32 to Native NT File Paths 28 .c:somepath ??c:somepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName DeviceHarddiskVolume4somepath ObpLookupObjectName After Lookup
James Forshaw @tiraniddo Global Root Symlink 29 .GLOBALROOTsomepathWin32 Path Empty Symlink Path
James Forshaw @tiraniddo Global Root Symlink 30 .GLOBALROOTsomepath ??GLOBALROOTsomepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName Empty Symlink Path
James Forshaw @tiraniddo Global Root Symlink 31 .GLOBALROOTsomepath ??GLOBALROOTsomepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName somepath ObpLookupObjectName After Lookup Empty Symlink Path
James Forshaw @tiraniddo Writeable Object Directories from IE Sandbox 32 Path Sandbox RPC Control PM SessionsXBaseNamedObjects PM SessionsXAppContainerNamedObjectsSID... EPM
James Forshaw @tiraniddo Exploiting IShDocVwBroker* broker; CreateSymlink(L"RPC Controlfake.url", L"??C:somefile"); broker->MOTWCreateFile( L".GLOBALROOTRPC Controlfake.url", ...); // Read File 33
James Forshaw @tiraniddo Registry Key Symbolic Links 34
James Forshaw @tiraniddo Under the hood 35 NtOpenKey ObOpenObjectByName ObpLookupObjectName Parsing Name RegistryMachineMylink
James Forshaw @tiraniddo Under the hood 36 NtOpenKey ObOpenObjectByName ObpLookupObjectName CmpParseKey Parsing Name RegistryMachineMylink CmpGetSymbolicLink Current Component
James Forshaw @tiraniddo Under the hood 37 NtOpenKey ObOpenObjectByName ObpLookupObjectName CmpParseKeySTATUS_REPARSE CmpGetSymbolicLink Parsing Name RegistryMachineMylink RegistryMachineNewKey
James Forshaw @tiraniddo Serious Limitations ● Windows 7 fixed numerous issues with registry symbolic links ○ Blocked symlinks between untrusted (user) and trusted (local machine) hives ○ Symbolic link must be a valid registry path ● MS10-021 ensured it was also available downstream ● Still can exploit user to user vulnerabilities such as in IE EPM ○ CVE-2013-5054 ○ CVE-2014-6322 ● Mitigation (pass flag to RegCreateKeyEx) still undocumented 38
James Forshaw @tiraniddo NTFS Mount Points / Directory Junctions 39
James Forshaw @tiraniddo Under the hood 40 NtOpenFile ObOpenObjectByName ObpLookupObjectName IopParseDevice Parsing Name ??C:tempmylinkfile NTFS Driver
James Forshaw @tiraniddo Under the hood 41 NtOpenFile ObOpenObjectByName ObpLookupObjectName IopParseDevice Parsing Name ??C:tempmylinkfile ??C:Windows NTFS Driver
James Forshaw @tiraniddo Under the hood 42 NtOpenFile ObOpenObjectByName ObpLookupObjectName IopParseDevice NTFS Driver STATUS_REPARSE Parsing Name ??C:Windowsfile
James Forshaw @tiraniddo Structure of a Mount Point typedef struct MOUNT_POINT_REPARSE_BUFFER { ULONG ReparseTag; USHORT ReparseDataLength; USHORT Reserved; USHORT SubstituteNameOffset; USHORT SubstituteNameLength; USHORT PrintNameOffset; USHORT PrintNameLength; WCHAR PathBuffer[1]; }; 43 Set to 0xA0000003 for Mount Point Substitute NT Name Print Name? String Data Header Reparse Data
James Forshaw @tiraniddo Create a Mount Point PREPARSE_DATA_BUFFER reparse_buffer = BuildMountPoint(target); CreateDirectory(dir); HANDLE handle = CreateFile(dir, ..., FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, ...); DeviceIoControl(handle, FSCTL_SET_REPARSE_POINT, reparse_buffer, reparse_buffer.size(), ...); 44
James Forshaw @tiraniddo Mount Point Limitations ● Directory must be empty to set the reparse data ● Target device must be an IO device (no opening registry keys for example) ● Target device heavily restricted in IopParseDevice: 45 IO_PARSE_CONTEXT *ctx; if (ctx->LastReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { switch(TargetDeviceType) { case FILE_DEVICE_DISK: case FILE_DEVICE_CD_ROM: case FILE_DEVICE_VIRTUAL_DISK: case FILE_DEVICE_TAPE: break; default: return STATUS_IO_REPARSE_DATA_INVALID; } } Limited Device Subset
James Forshaw @tiraniddo Example Vulnerability Windows Task Scheduler TOCTOU Arbitrary File Creation 46
James Forshaw @tiraniddo Running a Scheduled Task 47 void Load_Task_File(string task_name, string orig_hash) { string task_path = "c:windowssystem32tasks" + task_name; string file_hash = Hash_File(task_path); if (file_hash != orig_hash) { Rewrite_Task_File(task_path); } } Hash task file contents Rewrite Task without Impersonation
James Forshaw @tiraniddo System Task Folder Writable from normal user privilege, therefore can create a mount point directory 48
James Forshaw @tiraniddo Winning the Race Condition 49 Hash File Rewrite Task File ???? Profit?
James Forshaw @tiraniddo Is that an OPLOCK in your Pocket? void SetOplock(HANDLE hFile) { REQUEST_OPLOCK_INPUT_BUFFER inputBuffer; REQUEST_OPLOCK_OUTPUT_BUFFER outputBuffer; OVERLAPPED overlapped; overlapped.hEvent = CreateEvent(...); DeviceIoControl(hFile, FSCTL_REQUEST_OPLOCK, &inputBuffer, sizeof(inputBuffer), &outputBuffer, sizeof(outputBuffer), nullptr, &overlapped); WaitForSingleObject(overlapped.hEvent, ...); } 50
James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 51 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:dummy Open File for Reading C:DummyMyTask
James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 52 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Change Mount Point Location Event Set
James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 53 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Release Oplock Change Mount Point Location Event Set
James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 54 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Generate and Verify Hash of File C:DummyMyTask Release Oplock Change Mount Point Location Event Set
James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 55 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Rewrite Task File C:WindowsMyTask Generate and Verify Hash of File C:DummyMyTask Release Oplock Change Mount Point Location Event Set
James Forshaw @tiraniddo OPLOCK Limitations ● Can’t block on access to standard attributes or FILE_READ_ATTRIBUTES ● One-shot, need to be quick to reestablish if opened multiple times ● Can get around attribute reading in certain circumstances by oplocking a directory. ● For example these scenarios opens directories for read access ○ Shell SHParseDisplayName accesses each directory in path ○ GetLongPathName or GetShortPathName ○ FindFirstFile/FindNextFile 56
James Forshaw @tiraniddo DEMO OPLOCKs in Action 57
James Forshaw @tiraniddo NTFS Symbolic Links 58
James Forshaw @tiraniddo Structure of a Symbolic Link typedef struct SYMLINK_REPARSE_BUFFER { ULONG ReparseTag; USHORT ReparseDataLength; USHORT Reserved; USHORT SubstituteNameOffset; USHORT SubstituteNameLength; USHORT PrintNameOffset; USHORT PrintNameLength; USHORT Flags; WCHAR PathBuffer[1]; }; 59 Set to 0xA000000C for SymlinkHeader Reparse Data Flags: 0 - Absolute path 1 - Relative path
James Forshaw @tiraniddo Create Symlink Privilege Admin user - Yay! Normal user - Boo :-( 60
James Forshaw @tiraniddo Create Symbolic Link Privilege NTSTATUS NtfsSetReparsePoint(NTFS_CREATE_CONTEXT* ctx) { // Validation ... PREPARSE_DATA_BUFFER* reparse_buf; if ((reparse_buf->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) && (ctx->Type != FILE_DIRECTORY)) { return STATUS_NOT_A_DIRECTORY; } if ((reparse_buf->ReparseTag == IO_REPARSE_SYMLINK) && ((ctx->Flags & 0x400) == 0)) { return STATUS_ACCESS_DENIED } // ... } 61
James Forshaw @tiraniddo Create Symbolic Link Privilege NTSTATUS NtfsSetReparsePoint(NTFS_CREATE_CONTEXT* ctx) { // Validation ... PREPARSE_DATA_BUFFER* reparse_buf; if ((reparse_buf->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) && (ctx->Type != FILE_DIRECTORY)) { return STATUS_NOT_A_DIRECTORY; } if ((reparse_buf->ReparseTag == IO_REPARSE_SYMLINK) && ((ctx->Flags & 0x400) == 0)) { return STATUS_ACCESS_DENIED } // ... } Context must contain 0x400 flag 62
James Forshaw @tiraniddo Flags Setting NTSTATUS NtfsSetCcbAccessFlags(NTFS_FILE_CONTEXT* ctx) { ACCESS_MODE AccessMode = NtfsEffectiveMode(); if (ctx->HasRestorePrivilege) { ctx->Flags |= 0x400; } if (AccessMode == KernelMode || SeSinglePrivilegeCheck(&SeCreateSymbolicLinkPrivilege, &security_ctx, UserMode)) { ctx->Flags |= 0x400; } // ... } 63
James Forshaw @tiraniddo Hypothetical Scenario NTSTATUS Handle_OpenLog(PIRP Irp) { OBJECT_ATTRIBUTES objattr; UNICODE_STRING name; RtlInitUnicodeString(&name, L"SystemRootLogFilesuser.log"); InitObjectAttributes(&objattr, &name, 0, 0, 0, 0); PHANDLE Handle = Irp->AssociatedIrp->SystemBuffer; return ZwCreateFile(Handle, &objattr, ...); } 64 Returns handle to user mode process
James Forshaw @tiraniddo 65 SMBv2 Symbolic Links https://msdn.microsoft.com/en-us/library/cc246542.aspx
James Forshaw @tiraniddo SMBv2 Symbolic Link Restrictions 66 ● Remote to Local would be useful ● Disabled by default in local security policy
James Forshaw @tiraniddo Back to IopParseDevice enum SymlinkDeviceType { Local, Network }; if (ctx->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { // ... } else { SymlinkDeviceType target_type = GetSymlinkDeviceType(TargetDeviceType); if (target_type == Local || target_type == Network) { if (!NT_SUCCESS(IopSymlinkEnforceEnabledTypes( target_type, ctx->last_target_type))) { return STATUS_IO_REPARSE_DATA_INVALID; } } } 67 Enforces Symlink Traversal based on device types
James Forshaw @tiraniddo MRXSMB20 NTSTATUS Smb2Create_Finalize(SMB_CONTEXT* ctx) { // Make request and get response if (RequestResult == STATUS_STOPPED_ON_SYMLINK) { result = FsRtlValidateReparsePointBuffer( ctx->ErrorData, ctx->ErrorDataLength); if (!NT_SUCCESS(result)) { return result; } } // ... } 68 No check on ReparseTag
James Forshaw @tiraniddo SMBv2 Device Type Bypass 69 NtOpenFile ObpLookupObjectName IopParseDevice SMB2 Driver Parsing Name serversharefile Current Component Server Create sharefile
James Forshaw @tiraniddo SMBv2 Device Type Bypass 70 NtOpenFile ObpLookupObjectName IopParseDevice SMB2 Driver STATUS_REPARSE Parsing Name serversharefile Current Component Server STATUS_STOPPED_ON_SYMLINK with IO_REPARSE_TAG_MOUNT_POINT
James Forshaw @tiraniddo SMBv2 Device Type Bypass 71 NtOpenFile ObpLookupObjectName IopParseDevice SMB2 Driver Parsing Name serversharefile ??C:hello.txt Server NTFS Driver
James Forshaw @tiraniddo DEMO 72 SMBv2 Local File Disclosure in IE
James Forshaw @tiraniddo File Symbolic Links - Without Permissions 73
James Forshaw @tiraniddo First Try Default CreateFile call won’t open the file. Returns Access Denied 74
James Forshaw @tiraniddo Success FILE_FLAG_BACKUP_SEMANTICS allows us to open the file 75
James Forshaw @tiraniddo The NtCreateFile Paradox FILE_DIRECTORY_FILE Flag FILE_NON_DIRECTORY_FILE Flag 76 Neither FILE_DIRECTORY_FILE or FILE_NON_DIRECTORY_FILE
James Forshaw @tiraniddo The Old ADS Directory Trick Using $INDEX_ALLOCATION stream will bypass initial directory failure 77
James Forshaw @tiraniddo Let Our Powers Combine 78
James Forshaw @tiraniddo Let Our Powers Combine 79 NtOpenFile ObpLookupObjectName IopParseDevice Parsing Name ??C:tempmylink RPC Controlmylink NTFS Driver STATUS_REPARSE
James Forshaw @tiraniddo 80 NtOpenFile ObpLookupObjectName IopParseDevice NTFS Driver ObpParseSymbolicLink STATUS_REPARSE Parsing Name RPC Controlmylink ??C:hello.txt Let Our Powers Combine
James Forshaw @tiraniddo Persisting the Symlink ● Might be useful to persist the symlink between login sessions ● Can’t pass OBJ_PERMANENT directly ○ Needs SeCreatePermanentPrivilege ● Get CSRSS to do it for us :-) 81 DefineDosDeviceW( DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, L"GLOBALROOTRPC Controlmylink", L"TargetPath" );
James Forshaw @tiraniddo Combined Symbolic Link Limitations ● All existing limitations of Mount Points apply ● Vulnerable application can’t try to list or inspect the mount point itself ○ Listing the directory ○ Open for GetFileAttributes or similar ● Can mitigate somewhat by clever tricks with oplocks on directory hierarchy 82
James Forshaw @tiraniddo DEMO One More Thing! 83
James Forshaw @tiraniddo DEMO One More Thing! 84
James Forshaw @tiraniddo CVE-2015-1644 85
James Forshaw @tiraniddo DosDevice Prefix 86 ??c:somepath THE PREFIX IS A LIE
James Forshaw @tiraniddo DosDevice Prefix 87 Sessions0DosDevicesX-Yc:somepath ??c:somepath
James Forshaw @tiraniddo DosDevice Prefix 88 Sessions0DosDevicesX-Yc:somepath ??c:somepath GLOBAL??c:somepath
James Forshaw @tiraniddo New C: Drive 89
James Forshaw @tiraniddo Windows User Impersonation 90
James Forshaw @tiraniddo Very Exploitable Behaviour 91 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll
James Forshaw @tiraniddo Very Exploitable Behaviour 92 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll ??c:secure.dll
James Forshaw @tiraniddo Very Exploitable Behaviour 93 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll ??c:secure.dll Sessions0DosDevicesX-Yc:secure.dll
James Forshaw @tiraniddo Very Exploitable Behaviour 94 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll ??c:secure.dll Sessions0DosDevicesX-Yc:secure.dll c:somearbitrary.dll
James Forshaw @tiraniddo Very Exploitable Behaviour 95 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("secure.dll"); RevertToSelf(); } void COMExploitableFunction() { ImpersonateLoggedOnUser(hToken); CoCreateInstance(CLSID_SecureObject, ...); RevertToSelf(); }
James Forshaw @tiraniddo Finding an Ideal Service 96 Requirement Spooler Service Runs as NT AUTHORITYSYSTEM Yup Uses impersonation Definitely Accessible by normal user Kind of the point Has a habit of loading DLLs Think of all the printer drivers
James Forshaw @tiraniddo DEMO REALLY One More Thing! 97
James Forshaw @tiraniddo Links and References ● Symlink Testing Tools https://github.com/google/symboliclink-testing-tools ● File Test Application https://github.com/ladislav-zezula/FileTest 98
James Forshaw @tiraniddo Questions? 99

Recommended

Privileged file operations_bug_on_windows
Privileged file operations_bug_on_windowsPrivileged file operations_bug_on_windows
Privileged file operations_bug_on_windowsSai Lay
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 

Recommended

Privileged file operations_bug_on_windows
Privileged file operations_bug_on_windowsPrivileged file operations_bug_on_windows
Privileged file operations_bug_on_windowsSai Lay
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeologyenigma0x3
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft⭕Alexander Rymdeko-Harvey
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Exploring the Portable Executable format
Exploring the Portable Executable formatExploring the Portable Executable format
Exploring the Portable Executable formatAnge Albertini
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsJames Forshaw
 
Change Management 13 things to consider
Change Management 13 things to considerChange Management 13 things to consider
Change Management 13 things to considerpck100
 

More Related Content

What's hot

Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeologyenigma0x3
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Exploring the Portable Executable format
Exploring the Portable Executable formatExploring the Portable Executable format
Exploring the Portable Executable formatAnge Albertini
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 

What's hot (20)

Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Exploring the Portable Executable format
Exploring the Portable Executable formatExploring the Portable Executable format
Exploring the Portable Executable format
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 

Viewers also liked

The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsJames Forshaw
 
Change Management 13 things to consider
Change Management 13 things to considerChange Management 13 things to consider
Change Management 13 things to considerpck100
 
Italian shopping
Italian shoppingItalian shopping
Italian shoppingJack740
 
νεο λυκειο
νεο λυκειονεο λυκειο
νεο λυκειοelpitheo
 
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)Florian Haas
 
United small business
United small businessUnited small business
United small businessJack740
 
Hacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonHacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonOWASP Delhi
 
νεο λυκειο
νεο λυκειονεο λυκειο
νεο λυκειοelpitheo
 
More about health
More about healthMore about health
More about healthJack740
 
One Thor - Presentazione Giugno-Luglio 2014
One Thor - Presentazione Giugno-Luglio 2014 One Thor - Presentazione Giugno-Luglio 2014
One Thor - Presentazione Giugno-Luglio 2014 OnethorSlide
 
Meet the DIVA - by: Sandeep & Ankit
Meet the DIVA - by: Sandeep & Ankit Meet the DIVA - by: Sandeep & Ankit
Meet the DIVA - by: Sandeep & Ankit OWASP Delhi
 

Viewers also liked (14)

The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox Mitigations
 
Change Management 13 things to consider
Change Management 13 things to considerChange Management 13 things to consider
Change Management 13 things to consider
 
How To Stop Smoking
How To Stop SmokingHow To Stop Smoking
How To Stop Smoking
 
Italian shopping
Italian shoppingItalian shopping
Italian shopping
 
νεο λυκειο
νεο λυκειονεο λυκειο
νεο λυκειο
 
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)
Speak! How to talk in public and not wreck your voice (Ignite OSCON 2014)
 
Mitsubishi company
Mitsubishi companyMitsubishi company
Mitsubishi company
 
United small business
United small businessUnited small business
United small business
 
Gajendra_Resume1
Gajendra_Resume1Gajendra_Resume1
Gajendra_Resume1
 
Hacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh JadonHacking Wireless Networks by Mandeep Singh Jadon
Hacking Wireless Networks by Mandeep Singh Jadon
 
νεο λυκειο
νεο λυκειονεο λυκειο
νεο λυκειο
 
More about health
More about healthMore about health
More about health
 
One Thor - Presentazione Giugno-Luglio 2014
One Thor - Presentazione Giugno-Luglio 2014 One Thor - Presentazione Giugno-Luglio 2014
One Thor - Presentazione Giugno-Luglio 2014
 
Meet the DIVA - by: Sandeep & Ankit
Meet the DIVA - by: Sandeep & Ankit Meet the DIVA - by: Sandeep & Ankit
Meet the DIVA - by: Sandeep & Ankit
 

Similar to Abusing Symlinks on Windows

James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator actionPacSecJP
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat KorchaginNETWAYS
 
Andrii Yatsenko "Make the most of Twig"
Andrii Yatsenko "Make the most of Twig"Andrii Yatsenko "Make the most of Twig"
Andrii Yatsenko "Make the most of Twig"Fwdays
 
Brighton SEO 2021 - A Deep Dive into the Depths of DevTools
Brighton SEO 2021 - A Deep Dive into the Depths of DevToolsBrighton SEO 2021 - A Deep Dive into the Depths of DevTools
Brighton SEO 2021 - A Deep Dive into the Depths of DevToolsChrisJohnson792
 
Wordpress Security 101
Wordpress Security 101Wordpress Security 101
Wordpress Security 101Robert Rowley
 
Static and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingStatic and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingZendCon
 
Security Checklist for TYPO3
Security Checklist for TYPO3Security Checklist for TYPO3
Security Checklist for TYPO3jweiland
 
Thinking hard about_python
Thinking hard about_pythonThinking hard about_python
Thinking hard about_pythonDaniel Greenfeld
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Herokuronnywang_tw
 
Growing pains - PosKeyErrors and other malaises
Growing pains - PosKeyErrors and other malaisesGrowing pains - PosKeyErrors and other malaises
Growing pains - PosKeyErrors and other malaisesPhilip Bauer
 
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEsThotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEsSandra Escandor-O'Keefe
 

Similar to Abusing Symlinks on Windows (20)

James Forshaw, elevator action
James Forshaw, elevator actionJames Forshaw, elevator action
James Forshaw, elevator action
 
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
 
SearchMonkey
SearchMonkeySearchMonkey
SearchMonkey
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web Attacks
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
 
Andrii Yatsenko "Make the most of Twig"
Andrii Yatsenko "Make the most of Twig"Andrii Yatsenko "Make the most of Twig"
Andrii Yatsenko "Make the most of Twig"
 
Brighton SEO 2021 - A Deep Dive into the Depths of DevTools
Brighton SEO 2021 - A Deep Dive into the Depths of DevToolsBrighton SEO 2021 - A Deep Dive into the Depths of DevTools
Brighton SEO 2021 - A Deep Dive into the Depths of DevTools
 
Wordpress Security 101
Wordpress Security 101Wordpress Security 101
Wordpress Security 101
 
Static and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingStatic and Dynamic Analysis at Ning
Static and Dynamic Analysis at Ning
 
Tactical Information Gathering
Tactical Information GatheringTactical Information Gathering
Tactical Information Gathering
 
Ext 0523
Ext 0523Ext 0523
Ext 0523
 
Security Checklist for TYPO3
Security Checklist for TYPO3Security Checklist for TYPO3
Security Checklist for TYPO3
 
Thinking hard about_python
Thinking hard about_pythonThinking hard about_python
Thinking hard about_python
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Growing pains - PosKeyErrors and other malaises
Growing pains - PosKeyErrors and other malaisesGrowing pains - PosKeyErrors and other malaises
Growing pains - PosKeyErrors and other malaises
 
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEsThotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs
 

More from OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeoverOWASP Delhi
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report WritingOWASP Delhi
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air GapOWASP Delhi
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container EscapesOWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using TerraformOWASP Delhi
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat IntelligenceOWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelOWASP Delhi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraOWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
 

More from OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 

Recently uploaded

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Abusing Symlinks on Windows

  • 1. A Link to the Past Abusing Symbolic Links on Windows James Forshaw @tiraniddo 1
  • 2. James Forshaw @tiraniddo Obligatory Background Slide ● Researcher in Google’s Project Zero team ● Specialize in Windows ○ Especially local privilege escalation ● Never met a logical vulnerability I didn’t like https://www.flickr.com/photos/barretthall/2478623520/ 2
  • 3. James Forshaw @tiraniddo What I’m Going to Talk About ● Implementation of Symbolic Links on Windows ● Exploitable Bug Classes ● Example vulnerabilities ● Offensive exploitation tricks 3
  • 5. James Forshaw @tiraniddo Dangers of Symbolic Links 5
  • 6. James Forshaw @tiraniddo Resource Creation or Overwrite 6 Privileged Application pathtoresource Write to resource sensitivepath Symbolic Link
  • 7. James Forshaw @tiraniddo Information Disclosure 7 Privileged Application pathtoresource Read Resource sensitivepath Symbolic Link Disclosure Unprivileged Application
  • 8. James Forshaw @tiraniddo Time of Check/Time of Use 8 Privileged Application pathtoresource Check and use Resource validfile Check Symbolic Link maliciousfile Use Symbolic Link
  • 9. James Forshaw @tiraniddo History of Windows Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links 9
  • 10. James Forshaw @tiraniddo History of Windows Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions 10
  • 11. James Forshaw @tiraniddo History of Windows Symbolic Links Windows NT 3.1 - July 27 1993 Object Manager Symbolic Links Registry Key Symbolic Links Windows 2000 - Feb 17 2000 NTFS Mount Points and Directory Junctions Windows Vista - Nov 30 2006 NTFS Symbolic Links 11
  • 12. James Forshaw @tiraniddo Object Manager Symbolic Links 12
  • 13. James Forshaw @tiraniddo Named Objects 13 IO/File ??C:Windowsnotepad.exe DeviceNamedPipemypipe Registry RegistryMachineSoftware Semaphore BaseNamedObjectsMySema
  • 14. James Forshaw @tiraniddo Creating Object Manager Symbolic Links HANDLE CreateSymlink(LPCWSTR linkname, LPCWSTR targetname) { OBJECT_ATTRIBUTES obj_attr; UNICODE_STRING name, target; HANDLE hLink; RtlInitUnicodeString(&name, linkname); RtlInitUnicodeString(&target, targetname); InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr); NtCreateSymbolicLinkObject(&hLink, SYMBOLIC_LINK_ALL_ACCESS, &obj_attr, &target); return hLink; } 14
  • 15. James Forshaw @tiraniddo Parsing Name Object Manager Reparsing NtOpenSemaphore 15 MyObjectsGlobalMySema
  • 16. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName 16 Parsing Name MyObjectsGlobalMySema
  • 17. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName 17 Parsing Name MyObjectsGlobalMySema Current Component
  • 18. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName 18 Parsing Name MyObjectsGlobalMySema Current Component
  • 19. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName ObpParseSymbolicLink 19 Parsing Name MyObjectsGlobalMySema Current Component Global → BaseNamedObjects
  • 20. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName ObpParseSymbolicLink 20 Parsing Name MyObjectsGlobalMySema BaseNamedObjectsMySema Global → BaseNamedObjects
  • 21. James Forshaw @tiraniddo Object Manager Reparsing NtOpenSemaphore ObOpenObjectByName ObpLookupObjectName ObpParseSymbolicLink STATUS_REPARSE 21 Parsing Name BaseNamedObjectsMySema
  • 22. James Forshaw @tiraniddo Abusing Object Manager Symbolic Links ● Most obvious attack is object squatting ○ Redirect privileged object creation to another name ○ Open named pipes for attacking impersonation ○ Shadowing ALPC ports ● File symlink attacks perhaps more interesting! 22
  • 23. James Forshaw @tiraniddo Example Vulnerability IE EPM MOTWCreateFile Information Disclosure 23
  • 24. James Forshaw @tiraniddo IE Shell Broker MOTWCreateFile 24 HANDLE MOTWCreateFile(PCWSTR FileName, ...) { if (FileHasMOTW(FileName) || IsURLFile(FileName)) { return CreateFile(FileName, GENERIC_READ, ...); } } BOOL IsURLFile(PCWSTR FileName) { PCWSTR extension = PathFindExtension(FileName); return wcsicmp(extension, L".url") == 0; }
  • 25. James Forshaw @tiraniddo Win32 Path Support Path Description somepath Relative path to current directory c:somepath Absolute directory .c:somepath Device path, canonicalized ?c:somepath Device path, non- canonicalized Interesting!
  • 26. James Forshaw @tiraniddo Win32 to Native NT File Paths 26 .c:somepathWin32 Path
  • 27. James Forshaw @tiraniddo Win32 to Native NT File Paths 27 .c:somepath ??c:somepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName
  • 28. James Forshaw @tiraniddo Win32 to Native NT File Paths 28 .c:somepath ??c:somepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName DeviceHarddiskVolume4somepath ObpLookupObjectName After Lookup
  • 29. James Forshaw @tiraniddo Global Root Symlink 29 .GLOBALROOTsomepathWin32 Path Empty Symlink Path
  • 30. James Forshaw @tiraniddo Global Root Symlink 30 .GLOBALROOTsomepath ??GLOBALROOTsomepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName Empty Symlink Path
  • 31. James Forshaw @tiraniddo Global Root Symlink 31 .GLOBALROOTsomepath ??GLOBALROOTsomepath Win32 Path Native Path RtlDosPathNameToRelativeNtPathName somepath ObpLookupObjectName After Lookup Empty Symlink Path
  • 32. James Forshaw @tiraniddo Writeable Object Directories from IE Sandbox 32 Path Sandbox RPC Control PM SessionsXBaseNamedObjects PM SessionsXAppContainerNamedObjectsSID... EPM
  • 33. James Forshaw @tiraniddo Exploiting IShDocVwBroker* broker; CreateSymlink(L"RPC Controlfake.url", L"??C:somefile"); broker->MOTWCreateFile( L".GLOBALROOTRPC Controlfake.url", ...); // Read File 33
  • 34. James Forshaw @tiraniddo Registry Key Symbolic Links 34
  • 35. James Forshaw @tiraniddo Under the hood 35 NtOpenKey ObOpenObjectByName ObpLookupObjectName Parsing Name RegistryMachineMylink
  • 36. James Forshaw @tiraniddo Under the hood 36 NtOpenKey ObOpenObjectByName ObpLookupObjectName CmpParseKey Parsing Name RegistryMachineMylink CmpGetSymbolicLink Current Component
  • 37. James Forshaw @tiraniddo Under the hood 37 NtOpenKey ObOpenObjectByName ObpLookupObjectName CmpParseKeySTATUS_REPARSE CmpGetSymbolicLink Parsing Name RegistryMachineMylink RegistryMachineNewKey
  • 38. James Forshaw @tiraniddo Serious Limitations ● Windows 7 fixed numerous issues with registry symbolic links ○ Blocked symlinks between untrusted (user) and trusted (local machine) hives ○ Symbolic link must be a valid registry path ● MS10-021 ensured it was also available downstream ● Still can exploit user to user vulnerabilities such as in IE EPM ○ CVE-2013-5054 ○ CVE-2014-6322 ● Mitigation (pass flag to RegCreateKeyEx) still undocumented 38
  • 39. James Forshaw @tiraniddo NTFS Mount Points / Directory Junctions 39
  • 40. James Forshaw @tiraniddo Under the hood 40 NtOpenFile ObOpenObjectByName ObpLookupObjectName IopParseDevice Parsing Name ??C:tempmylinkfile NTFS Driver
  • 41. James Forshaw @tiraniddo Under the hood 41 NtOpenFile ObOpenObjectByName ObpLookupObjectName IopParseDevice Parsing Name ??C:tempmylinkfile ??C:Windows NTFS Driver
  • 42. James Forshaw @tiraniddo Under the hood 42 NtOpenFile ObOpenObjectByName ObpLookupObjectName IopParseDevice NTFS Driver STATUS_REPARSE Parsing Name ??C:Windowsfile
  • 43. James Forshaw @tiraniddo Structure of a Mount Point typedef struct MOUNT_POINT_REPARSE_BUFFER { ULONG ReparseTag; USHORT ReparseDataLength; USHORT Reserved; USHORT SubstituteNameOffset; USHORT SubstituteNameLength; USHORT PrintNameOffset; USHORT PrintNameLength; WCHAR PathBuffer[1]; }; 43 Set to 0xA0000003 for Mount Point Substitute NT Name Print Name? String Data Header Reparse Data
  • 44. James Forshaw @tiraniddo Create a Mount Point PREPARSE_DATA_BUFFER reparse_buffer = BuildMountPoint(target); CreateDirectory(dir); HANDLE handle = CreateFile(dir, ..., FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT, ...); DeviceIoControl(handle, FSCTL_SET_REPARSE_POINT, reparse_buffer, reparse_buffer.size(), ...); 44
  • 45. James Forshaw @tiraniddo Mount Point Limitations ● Directory must be empty to set the reparse data ● Target device must be an IO device (no opening registry keys for example) ● Target device heavily restricted in IopParseDevice: 45 IO_PARSE_CONTEXT *ctx; if (ctx->LastReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { switch(TargetDeviceType) { case FILE_DEVICE_DISK: case FILE_DEVICE_CD_ROM: case FILE_DEVICE_VIRTUAL_DISK: case FILE_DEVICE_TAPE: break; default: return STATUS_IO_REPARSE_DATA_INVALID; } } Limited Device Subset
  • 46. James Forshaw @tiraniddo Example Vulnerability Windows Task Scheduler TOCTOU Arbitrary File Creation 46
  • 47. James Forshaw @tiraniddo Running a Scheduled Task 47 void Load_Task_File(string task_name, string orig_hash) { string task_path = "c:windowssystem32tasks" + task_name; string file_hash = Hash_File(task_path); if (file_hash != orig_hash) { Rewrite_Task_File(task_path); } } Hash task file contents Rewrite Task without Impersonation
  • 48. James Forshaw @tiraniddo System Task Folder Writable from normal user privilege, therefore can create a mount point directory 48
  • 49. James Forshaw @tiraniddo Winning the Race Condition 49 Hash File Rewrite Task File ???? Profit?
  • 50. James Forshaw @tiraniddo Is that an OPLOCK in your Pocket? void SetOplock(HANDLE hFile) { REQUEST_OPLOCK_INPUT_BUFFER inputBuffer; REQUEST_OPLOCK_OUTPUT_BUFFER outputBuffer; OVERLAPPED overlapped; overlapped.hEvent = CreateEvent(...); DeviceIoControl(hFile, FSCTL_REQUEST_OPLOCK, &inputBuffer, sizeof(inputBuffer), &outputBuffer, sizeof(outputBuffer), nullptr, &overlapped); WaitForSingleObject(overlapped.hEvent, ...); } 50
  • 51. James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 51 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:dummy Open File for Reading C:DummyMyTask
  • 52. James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 52 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Change Mount Point Location Event Set
  • 53. James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 53 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Release Oplock Change Mount Point Location Event Set
  • 54. James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 54 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Generate and Verify Hash of File C:DummyMyTask Release Oplock Change Mount Point Location Event Set
  • 55. James Forshaw @tiraniddo User Application Exploitation Task Scheduler Service 55 IRegisteredTask::Run Current Mount Point: MyTaskFolder → C:windows Open File for Reading C:DummyMyTask Rewrite Task File C:WindowsMyTask Generate and Verify Hash of File C:DummyMyTask Release Oplock Change Mount Point Location Event Set
  • 56. James Forshaw @tiraniddo OPLOCK Limitations ● Can’t block on access to standard attributes or FILE_READ_ATTRIBUTES ● One-shot, need to be quick to reestablish if opened multiple times ● Can get around attribute reading in certain circumstances by oplocking a directory. ● For example these scenarios opens directories for read access ○ Shell SHParseDisplayName accesses each directory in path ○ GetLongPathName or GetShortPathName ○ FindFirstFile/FindNextFile 56
  • 58. James Forshaw @tiraniddo NTFS Symbolic Links 58
  • 59. James Forshaw @tiraniddo Structure of a Symbolic Link typedef struct SYMLINK_REPARSE_BUFFER { ULONG ReparseTag; USHORT ReparseDataLength; USHORT Reserved; USHORT SubstituteNameOffset; USHORT SubstituteNameLength; USHORT PrintNameOffset; USHORT PrintNameLength; USHORT Flags; WCHAR PathBuffer[1]; }; 59 Set to 0xA000000C for SymlinkHeader Reparse Data Flags: 0 - Absolute path 1 - Relative path
  • 60. James Forshaw @tiraniddo Create Symlink Privilege Admin user - Yay! Normal user - Boo :-( 60
  • 61. James Forshaw @tiraniddo Create Symbolic Link Privilege NTSTATUS NtfsSetReparsePoint(NTFS_CREATE_CONTEXT* ctx) { // Validation ... PREPARSE_DATA_BUFFER* reparse_buf; if ((reparse_buf->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) && (ctx->Type != FILE_DIRECTORY)) { return STATUS_NOT_A_DIRECTORY; } if ((reparse_buf->ReparseTag == IO_REPARSE_SYMLINK) && ((ctx->Flags & 0x400) == 0)) { return STATUS_ACCESS_DENIED } // ... } 61
  • 62. James Forshaw @tiraniddo Create Symbolic Link Privilege NTSTATUS NtfsSetReparsePoint(NTFS_CREATE_CONTEXT* ctx) { // Validation ... PREPARSE_DATA_BUFFER* reparse_buf; if ((reparse_buf->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) && (ctx->Type != FILE_DIRECTORY)) { return STATUS_NOT_A_DIRECTORY; } if ((reparse_buf->ReparseTag == IO_REPARSE_SYMLINK) && ((ctx->Flags & 0x400) == 0)) { return STATUS_ACCESS_DENIED } // ... } Context must contain 0x400 flag 62
  • 63. James Forshaw @tiraniddo Flags Setting NTSTATUS NtfsSetCcbAccessFlags(NTFS_FILE_CONTEXT* ctx) { ACCESS_MODE AccessMode = NtfsEffectiveMode(); if (ctx->HasRestorePrivilege) { ctx->Flags |= 0x400; } if (AccessMode == KernelMode || SeSinglePrivilegeCheck(&SeCreateSymbolicLinkPrivilege, &security_ctx, UserMode)) { ctx->Flags |= 0x400; } // ... } 63
  • 64. James Forshaw @tiraniddo Hypothetical Scenario NTSTATUS Handle_OpenLog(PIRP Irp) { OBJECT_ATTRIBUTES objattr; UNICODE_STRING name; RtlInitUnicodeString(&name, L"SystemRootLogFilesuser.log"); InitObjectAttributes(&objattr, &name, 0, 0, 0, 0); PHANDLE Handle = Irp->AssociatedIrp->SystemBuffer; return ZwCreateFile(Handle, &objattr, ...); } 64 Returns handle to user mode process
  • 65. James Forshaw @tiraniddo 65 SMBv2 Symbolic Links https://msdn.microsoft.com/en-us/library/cc246542.aspx
  • 66. James Forshaw @tiraniddo SMBv2 Symbolic Link Restrictions 66 ● Remote to Local would be useful ● Disabled by default in local security policy
  • 67. James Forshaw @tiraniddo Back to IopParseDevice enum SymlinkDeviceType { Local, Network }; if (ctx->ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { // ... } else { SymlinkDeviceType target_type = GetSymlinkDeviceType(TargetDeviceType); if (target_type == Local || target_type == Network) { if (!NT_SUCCESS(IopSymlinkEnforceEnabledTypes( target_type, ctx->last_target_type))) { return STATUS_IO_REPARSE_DATA_INVALID; } } } 67 Enforces Symlink Traversal based on device types
  • 68. James Forshaw @tiraniddo MRXSMB20 NTSTATUS Smb2Create_Finalize(SMB_CONTEXT* ctx) { // Make request and get response if (RequestResult == STATUS_STOPPED_ON_SYMLINK) { result = FsRtlValidateReparsePointBuffer( ctx->ErrorData, ctx->ErrorDataLength); if (!NT_SUCCESS(result)) { return result; } } // ... } 68 No check on ReparseTag
  • 69. James Forshaw @tiraniddo SMBv2 Device Type Bypass 69 NtOpenFile ObpLookupObjectName IopParseDevice SMB2 Driver Parsing Name serversharefile Current Component Server Create sharefile
  • 70. James Forshaw @tiraniddo SMBv2 Device Type Bypass 70 NtOpenFile ObpLookupObjectName IopParseDevice SMB2 Driver STATUS_REPARSE Parsing Name serversharefile Current Component Server STATUS_STOPPED_ON_SYMLINK with IO_REPARSE_TAG_MOUNT_POINT
  • 71. James Forshaw @tiraniddo SMBv2 Device Type Bypass 71 NtOpenFile ObpLookupObjectName IopParseDevice SMB2 Driver Parsing Name serversharefile ??C:hello.txt Server NTFS Driver
  • 72. James Forshaw @tiraniddo DEMO 72 SMBv2 Local File Disclosure in IE
  • 73. James Forshaw @tiraniddo File Symbolic Links - Without Permissions 73
  • 74. James Forshaw @tiraniddo First Try Default CreateFile call won’t open the file. Returns Access Denied 74
  • 76. James Forshaw @tiraniddo The NtCreateFile Paradox FILE_DIRECTORY_FILE Flag FILE_NON_DIRECTORY_FILE Flag 76 Neither FILE_DIRECTORY_FILE or FILE_NON_DIRECTORY_FILE
  • 77. James Forshaw @tiraniddo The Old ADS Directory Trick Using $INDEX_ALLOCATION stream will bypass initial directory failure 77
  • 78. James Forshaw @tiraniddo Let Our Powers Combine 78
  • 79. James Forshaw @tiraniddo Let Our Powers Combine 79 NtOpenFile ObpLookupObjectName IopParseDevice Parsing Name ??C:tempmylink RPC Controlmylink NTFS Driver STATUS_REPARSE
  • 80. James Forshaw @tiraniddo 80 NtOpenFile ObpLookupObjectName IopParseDevice NTFS Driver ObpParseSymbolicLink STATUS_REPARSE Parsing Name RPC Controlmylink ??C:hello.txt Let Our Powers Combine
  • 81. James Forshaw @tiraniddo Persisting the Symlink ● Might be useful to persist the symlink between login sessions ● Can’t pass OBJ_PERMANENT directly ○ Needs SeCreatePermanentPrivilege ● Get CSRSS to do it for us :-) 81 DefineDosDeviceW( DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, L"GLOBALROOTRPC Controlmylink", L"TargetPath" );
  • 82. James Forshaw @tiraniddo Combined Symbolic Link Limitations ● All existing limitations of Mount Points apply ● Vulnerable application can’t try to list or inspect the mount point itself ○ Listing the directory ○ Open for GetFileAttributes or similar ● Can mitigate somewhat by clever tricks with oplocks on directory hierarchy 82
  • 86. James Forshaw @tiraniddo DosDevice Prefix 86 ??c:somepath THE PREFIX IS A LIE
  • 87. James Forshaw @tiraniddo DosDevice Prefix 87 Sessions0DosDevicesX-Yc:somepath ??c:somepath
  • 88. James Forshaw @tiraniddo DosDevice Prefix 88 Sessions0DosDevicesX-Yc:somepath ??c:somepath GLOBAL??c:somepath
  • 90. James Forshaw @tiraniddo Windows User Impersonation 90
  • 91. James Forshaw @tiraniddo Very Exploitable Behaviour 91 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll
  • 92. James Forshaw @tiraniddo Very Exploitable Behaviour 92 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll ??c:secure.dll
  • 93. James Forshaw @tiraniddo Very Exploitable Behaviour 93 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll ??c:secure.dll Sessions0DosDevicesX-Yc:secure.dll
  • 94. James Forshaw @tiraniddo Very Exploitable Behaviour 94 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("c:secure.dll"); RevertToSelf(); } c:secure.dll ??c:secure.dll Sessions0DosDevicesX-Yc:secure.dll c:somearbitrary.dll
  • 95. James Forshaw @tiraniddo Very Exploitable Behaviour 95 void ExploitableFunction() { ImpersonateLoggedOnUser(hToken); LoadLibrary("secure.dll"); RevertToSelf(); } void COMExploitableFunction() { ImpersonateLoggedOnUser(hToken); CoCreateInstance(CLSID_SecureObject, ...); RevertToSelf(); }
  • 96. James Forshaw @tiraniddo Finding an Ideal Service 96 Requirement Spooler Service Runs as NT AUTHORITYSYSTEM Yup Uses impersonation Definitely Accessible by normal user Kind of the point Has a habit of loading DLLs Think of all the printer drivers
  • 98. James Forshaw @tiraniddo Links and References ● Symlink Testing Tools https://github.com/google/symboliclink-testing-tools ● File Test Application https://github.com/ladislav-zezula/FileTest 98