Abstract
For years, Microsoft has put a lot of effort to mitigate privilege escalation attacks (EoPs), either by protecting usermode (like Windows services) or the kernel (via different mitigations).
Most of the work has been done to prevent unprivileged users from obtaining elevated permissions like SYSTEM (something easily reachable running as Administrator). Despite these efforts, new attack techniques continue appearing in the wild. This means offensive security researchers continue evolving, even at the time you are reading this...
In this talk, we are going to present a usermode design flaw that we've recently discovered. It's the combination of a Windows dark "functionality" (recently revealed by Google Project Zero) and an insufficient check, which allows to escalate privileges from Medium to High integrity level (or kind of) in a deterministic way with a reliability of 100%.
During this presentation, we'll explain the source of the problem and we'll show a live demo with a full working exploit (launching a Calculator/Notepad running as Administrator from Medium IL) in the latest version of Windows.
At the time of the publication of these slides, the vulnerability is still present in the latest versions of Windows 10 (22H2), Windows 11 (22H2) and Windows 11 (23H2 - not released yet), which has been recently reported to Microsoft.
Most of the work has been done to prevent unprivileged users from obtaining elevated permissions like SYSTEM (something easily reachable running as Administrator). Despite these efforts, new attack techniques continue appearing in the wild. This means offensive security researchers continue evolving, even at the time you are reading this...
In this talk, we are going to present a usermode design flaw that we've recently discovered. It's the combination of a Windows dark "functionality" (recently revealed by Google Project Zero) and an insufficient check, which allows to escalate privileges from Medium to High integrity level (or kind of) in a deterministic way with a reliability of 100%.
During this presentation, we'll explain the source of the problem and we'll show a live demo with a full working exploit (launching a Calculator/Notepad running as Administrator from Medium IL) in the latest version of Windows.
At the time of the publication of these slides, the vulnerability is still present in the latest versions of Windows 10 (22H2), Windows 11 (22H2) and Windows 11 (23H2 - not released yet), which has been recently reported to Microsoft.
Download
Links to the slides presented at Ekoparty 2023 can be found below: