Impersonatewindows
windows7系统怎么安装 时间:2021-03-01 阅读:()
TokenTokenKidnapping'sRevengeCesarCerrudoArgenissWhoamIWhoamIAiFddCEOArgenissFounderandCEOIhavebeenworkingonsecurityfor+8yearsIhavefoundandhelpedtofixhundredsofvulnerabilitiesinsoftwaresuchasMSWindows,MSSQLServer,OracleDatabaseServer,IBMDB2,andmanymore.
.
.
+50vulnerabilitiesfoundonMSproducts(+20onWindowsoperatingsystems)IhaveresearchedandcreatednovelattacksandexploitationtechniquesAgendaAgendaIntroductionWhatisimpersonationandwhataretokensWindowsXPand2003servicessecurityWindows7Vistaand2008servicessecurityWindows7,Vistaand2008servicessecurityTokenKidnapping'srevengetimeCliConclusionsIntroductionIntroductionIhllWidiLlInthepastallWindowsservicesranasLocalSYSTEMaccountff–Compromiseofaservice==fullsystemcompromiseThenMSintroducedNETWORKSERVICEandLOCALSERVICEaccounts–Compromiseofaservice!
=fullsystemcompromiseWindowsVista,Windows2008andWindows7introducednewprotectionsFirstTokenKidnappingissueswerefixed,butaswearegoingtoseeWindowsisstillnotperfect.
.
.
ggpWhatisimpersonationandwhataretokensImpersonationistheabilityofathreadtoexecuteusingdifferentsecurityinformationthantheprocessthatownsthethread–ACLchecksaredoneagainsttheimpersonatedusers–ImpersonationAPIs:ImpersonateNamedPipeClient(),ImpersonateLoggedOnUser(),RpcImpersonateClient()Itilbdbith–Impersonationcanonlybedonebyprocesseswith"Impersonateaclientafterauthentication"(SeImpersonatePrivilege)(pg)–WhenathreadimpersonatesithasanassociatedimpersonationtokenWhatisimpersonationandwhataretokensAccesstokenisaWindowsobjectthatdescribesthesecuritycontextofaprocessorthread–Itincludestheidentityandprivilegesoftheuseraccountassociatedwiththeprocessorthread–TheycanbePrimaryorImpersonationtokensPrimaryarethosethatareassignedtoprocessesImpersonationarethosethatcanbegetwhenimpersonationoccursimpersonationoccurs–Fourimpersonationlevels:SecurityAnonymous,SecurityIdentity,SecurityImpersonation,yy,yp,SecurityDelegationWindowsXPand2003servicessecurityServicesrununderNetworkService,LocalService,LocalSystemanduseraccounts,y–AllservicescanimpersonateFixedweaknessesFixedweaknesses–AprocessrunningunderXaccountcouldaccessprocessesrunningunderthesameXaccountpgAfterfixes–RPCSSandafewservicesthatimpersonateSYSTEMRPCSSandafewservicesthatimpersonateSYSTEMaccountarenowproperlyprotected–WMIprocessesareprotectednowWindowsVista,2008and7servicessecurityPerserviceSID(newprotection)–Nicefeature,nowserviceprocessesarereallyttdditbdprotectedanditsresourcescanbearmouredFixedweaknessesinWindowsVistaand2008–Whileregularthreadswereproperlyprotected,threadsfromthreadpoolswerenotWMIpocessesnningndeLOCALSERVICEand–WMIprocessesrunningunderLOCALSERVICEandNETWORKSERVICEwerenotprotectedAfterfixesAfterfixes–ThreadsfromthreadpoolsareproperlyprotectedWMIprocessesareprotectednow–WMIprocessesareprotectednowTokenKidnapping'srevengetimeFirstIfoundthatTapiservicehadprocesshandleswithduplicatehandlepermissionsThenIstartedtoexaminetheTapiservice–FoundweakregistrypermissionsHKLM\SOFTWARE\Microsoft\TracingHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephonyelephony–FoundlineAddProvider()API,NetworkServiceandLocalServiceaccountscanloadarbitrarydllsandLocalServiceaccountscanloadarbitrarydllsTapiservicerunsasSysteminWindows2003–FoundthatTracingfunctionalityisusedbymostFoundthatTracingfunctionalityisusedbymostservices,includingservicesrunningasSystemTokenKidnapping'srevengetimePreviousfindingsleadtootherinterestingfindingsinWindows2003g–WhenWMIisinvoked,DCOMLaunchservicereadsNetworkandLocalServiceusersregistrykeysIfvaluesarefoundthenHKCRkeysarenotusedAllowsWMIprocessprotectionbypassFinallyIcouldelevateprivilegesfromLl/NtkSiillWidiLocal/NetworkServiceinallWindowsversionsandbypassprotectionsTokenKidnapping'srevengetimeWindows2003IIS6&SQLServerexploits–BypassWMIprotectionBypassWMIprotectionWindows2008andWindows7IIS7.
5exploitsExploitweakregistrypermissions–ExploitweakregistrypermissionsRecomendationsRecomendations–OnIISdon'trunASP.
NETinfulltrustanddon'trunwebsitesunderNetworkServiceorLocalServiceaccountsaccounts–AvoidrunningservicesunderNetworkServiceorLocalServiceaccountsLocalServiceaccountsUseregularuseraccountstorunservicesRemoveUsersgroupfromRemoveUsersgroupfromHKLM\Software\Microsoft\TracingregistrykeypermissionspDisableTelephonyserviceFixesFixes–OnAugustMicrosoftisreleasingafixforHKLM\Software\Microsoft\TracingregistrykeypermissionsissueandarelatedelevationofpermissionsissueandarelatedelevationofprivilegesvulnerabilityMicrosoftisalsoreleasinganadvisorytoaddress–MicrosoftisalsoreleasinganadvisorytoaddressTAPI,WMIandsharedregistrykeysrelatedissuesConclusionsConclusionsNewWindowsversionsaremoresecurebuttherearestillsomeissueseasytofindFindingvulnerabilitiesisnotdifficultifyouknowwhattoolstouseandweretolookforOnWindowsXPandWindows2003–IfausercanexecutecodeunderNetworkServiceausecaeecutecodeudeetoSeceorLocalServiceaccountUsercanexecutecodeasSYSTEMOnWindows7,Vistaand2008–IfausercanimpersonateIfausercanimpersonateUsercanexecutecodeasSYSTEMReferencesReferencesTokenKidnappinghttp://www.
argeniss.
com/research/TokenKidnapping.
pdfImpersonateaclientafterauthenticationhttp://support.
microsoft.
com/kb/821546Accesstokenshttp://msdn2.
microsoft.
com/en-us/library/aa374909.
aspxProcessExplorerandProcessMonitorhttp://www.
sysinternals.
comAPIImpersonationFunctionshttp://msdn.
microsoft.
com/en-us/library/cc246062(PROT.
10).
aspxFinFinQuestionsQuestionsThanksContact:cesar>atdotargeniss.
com
.
.
+50vulnerabilitiesfoundonMSproducts(+20onWindowsoperatingsystems)IhaveresearchedandcreatednovelattacksandexploitationtechniquesAgendaAgendaIntroductionWhatisimpersonationandwhataretokensWindowsXPand2003servicessecurityWindows7Vistaand2008servicessecurityWindows7,Vistaand2008servicessecurityTokenKidnapping'srevengetimeCliConclusionsIntroductionIntroductionIhllWidiLlInthepastallWindowsservicesranasLocalSYSTEMaccountff–Compromiseofaservice==fullsystemcompromiseThenMSintroducedNETWORKSERVICEandLOCALSERVICEaccounts–Compromiseofaservice!
=fullsystemcompromiseWindowsVista,Windows2008andWindows7introducednewprotectionsFirstTokenKidnappingissueswerefixed,butaswearegoingtoseeWindowsisstillnotperfect.
.
.
ggpWhatisimpersonationandwhataretokensImpersonationistheabilityofathreadtoexecuteusingdifferentsecurityinformationthantheprocessthatownsthethread–ACLchecksaredoneagainsttheimpersonatedusers–ImpersonationAPIs:ImpersonateNamedPipeClient(),ImpersonateLoggedOnUser(),RpcImpersonateClient()Itilbdbith–Impersonationcanonlybedonebyprocesseswith"Impersonateaclientafterauthentication"(SeImpersonatePrivilege)(pg)–WhenathreadimpersonatesithasanassociatedimpersonationtokenWhatisimpersonationandwhataretokensAccesstokenisaWindowsobjectthatdescribesthesecuritycontextofaprocessorthread–Itincludestheidentityandprivilegesoftheuseraccountassociatedwiththeprocessorthread–TheycanbePrimaryorImpersonationtokensPrimaryarethosethatareassignedtoprocessesImpersonationarethosethatcanbegetwhenimpersonationoccursimpersonationoccurs–Fourimpersonationlevels:SecurityAnonymous,SecurityIdentity,SecurityImpersonation,yy,yp,SecurityDelegationWindowsXPand2003servicessecurityServicesrununderNetworkService,LocalService,LocalSystemanduseraccounts,y–AllservicescanimpersonateFixedweaknessesFixedweaknesses–AprocessrunningunderXaccountcouldaccessprocessesrunningunderthesameXaccountpgAfterfixes–RPCSSandafewservicesthatimpersonateSYSTEMRPCSSandafewservicesthatimpersonateSYSTEMaccountarenowproperlyprotected–WMIprocessesareprotectednowWindowsVista,2008and7servicessecurityPerserviceSID(newprotection)–Nicefeature,nowserviceprocessesarereallyttdditbdprotectedanditsresourcescanbearmouredFixedweaknessesinWindowsVistaand2008–Whileregularthreadswereproperlyprotected,threadsfromthreadpoolswerenotWMIpocessesnningndeLOCALSERVICEand–WMIprocessesrunningunderLOCALSERVICEandNETWORKSERVICEwerenotprotectedAfterfixesAfterfixes–ThreadsfromthreadpoolsareproperlyprotectedWMIprocessesareprotectednow–WMIprocessesareprotectednowTokenKidnapping'srevengetimeFirstIfoundthatTapiservicehadprocesshandleswithduplicatehandlepermissionsThenIstartedtoexaminetheTapiservice–FoundweakregistrypermissionsHKLM\SOFTWARE\Microsoft\TracingHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephonyelephony–FoundlineAddProvider()API,NetworkServiceandLocalServiceaccountscanloadarbitrarydllsandLocalServiceaccountscanloadarbitrarydllsTapiservicerunsasSysteminWindows2003–FoundthatTracingfunctionalityisusedbymostFoundthatTracingfunctionalityisusedbymostservices,includingservicesrunningasSystemTokenKidnapping'srevengetimePreviousfindingsleadtootherinterestingfindingsinWindows2003g–WhenWMIisinvoked,DCOMLaunchservicereadsNetworkandLocalServiceusersregistrykeysIfvaluesarefoundthenHKCRkeysarenotusedAllowsWMIprocessprotectionbypassFinallyIcouldelevateprivilegesfromLl/NtkSiillWidiLocal/NetworkServiceinallWindowsversionsandbypassprotectionsTokenKidnapping'srevengetimeWindows2003IIS6&SQLServerexploits–BypassWMIprotectionBypassWMIprotectionWindows2008andWindows7IIS7.
5exploitsExploitweakregistrypermissions–ExploitweakregistrypermissionsRecomendationsRecomendations–OnIISdon'trunASP.
NETinfulltrustanddon'trunwebsitesunderNetworkServiceorLocalServiceaccountsaccounts–AvoidrunningservicesunderNetworkServiceorLocalServiceaccountsLocalServiceaccountsUseregularuseraccountstorunservicesRemoveUsersgroupfromRemoveUsersgroupfromHKLM\Software\Microsoft\TracingregistrykeypermissionspDisableTelephonyserviceFixesFixes–OnAugustMicrosoftisreleasingafixforHKLM\Software\Microsoft\TracingregistrykeypermissionsissueandarelatedelevationofpermissionsissueandarelatedelevationofprivilegesvulnerabilityMicrosoftisalsoreleasinganadvisorytoaddress–MicrosoftisalsoreleasinganadvisorytoaddressTAPI,WMIandsharedregistrykeysrelatedissuesConclusionsConclusionsNewWindowsversionsaremoresecurebuttherearestillsomeissueseasytofindFindingvulnerabilitiesisnotdifficultifyouknowwhattoolstouseandweretolookforOnWindowsXPandWindows2003–IfausercanexecutecodeunderNetworkServiceausecaeecutecodeudeetoSeceorLocalServiceaccountUsercanexecutecodeasSYSTEMOnWindows7,Vistaand2008–IfausercanimpersonateIfausercanimpersonateUsercanexecutecodeasSYSTEMReferencesReferencesTokenKidnappinghttp://www.
argeniss.
com/research/TokenKidnapping.
pdfImpersonateaclientafterauthenticationhttp://support.
microsoft.
com/kb/821546Accesstokenshttp://msdn2.
microsoft.
com/en-us/library/aa374909.
aspxProcessExplorerandProcessMonitorhttp://www.
sysinternals.
comAPIImpersonationFunctionshttp://msdn.
microsoft.
com/en-us/library/cc246062(PROT.
10).
aspxFinFinQuestionsQuestionsThanksContact:cesar>atdot
com
- Impersonatewindows相关文档
- 安装windows7系统怎么安装
- 产品windows7系统怎么安装
- 安装windows7系统怎么安装
- 计算机windows7系统怎么安装
- 连接windows7系统怎么安装
- 安装windows7系统怎么安装
腾讯云轻量服务器两款低价年付套餐 2核4GB内存8M带宽 年74元
昨天,有在"阿里云秋季促销活动 轻量云服务器2G5M配置新购年60元"文章中记录到阿里云轻量服务器2GB内存、5M带宽一年60元的活动,当然这个也是国内机房的。我们很多人都清楚备案是需要接入的,如果我们在其他服务商的域名备案的,那是不能解析的。除非我们不是用来建站,而是用来云端的,是可以用的。这不看到其对手腾讯云也有推出两款轻量服务器活动。其中一款是4GB内存、8M带宽,这个比阿里云还要狠。这个真...
UCloud云服务器香港临时补货,(Intel)CN2 GIA优化线路,上车绝佳时机
至今为止介绍了很多UCLOUD云服务器的促销活动,UCLOUD业者以前看不到我们的个人用户,即使有促销活动,续费也很少。现在新用户的折扣力很大,包括旧用户在内也有一部分折扣。结果,我们的用户是他们的生存动力。没有共享他们的信息的理由是比较受欢迎的香港云服务器CN2GIA线路产品缺货。这不是刚才看到邮件注意和刘先生的通知,而是补充UCLOUD香港云服务器、INTELCPU配置的服务器。如果我们需要他...
速云:广州移动/深圳移动/广东联通/香港HKT等VDS,9折优惠,最低月付9元;深圳独立服务器1050元/首月起
速云怎么样?速云,国人商家,提供广州移动、深圳移动、广州茂名联通、香港hkt等VDS和独立服务器。现在暑期限时特惠,力度大。广州移动/深圳移动/广东联通/香港HKT等9折优惠,最低月付9元;暑期特惠,带宽、流量翻倍,深港mplc免费试用!点击进入:速云官方网站地址速云优惠码:全场9折优惠码:summer速云优惠活动:活动期间,所有地区所有配置可享受9折优惠,深圳/广州地区流量计费VDS可选择流量翻...
windows7系统怎么安装为你推荐
-
支付宝查询余额我的支付宝如何查询余额人人时光机寻时光机歌词安卓应用平台app应用平台有哪些 应用平台哪些童之磊华硕的四核平板电脑,怎么样?qq怎么发邮件用QQ怎样发送文件ios7固件下载iOS的固件有正版盗版之分吗?我看到了蜂威网有iOS7的固件想下载试用一下,那里是测试版是正版吗商标注册查询官网如何在网上查询商标是否注册?gbk编码表GB GBK utf8码的区别铁路客服中心铁路客户服务中心怎么订票微信电话本怎么用微信电话本怎么使用呀,我的电话号码是存在手机里面,用这个软件就读取不了电话,我是第一次使用