Impersonatewindows

windows7系统怎么安装  时间:2021-03-01  阅读:()
TokenTokenKidnapping'sRevengeCesarCerrudoArgenissWhoamIWhoamIAiFddCEOArgenissFounderandCEOIhavebeenworkingonsecurityfor+8yearsIhavefoundandhelpedtofixhundredsofvulnerabilitiesinsoftwaresuchasMSWindows,MSSQLServer,OracleDatabaseServer,IBMDB2,andmanymore.
.
.
+50vulnerabilitiesfoundonMSproducts(+20onWindowsoperatingsystems)IhaveresearchedandcreatednovelattacksandexploitationtechniquesAgendaAgendaIntroductionWhatisimpersonationandwhataretokensWindowsXPand2003servicessecurityWindows7Vistaand2008servicessecurityWindows7,Vistaand2008servicessecurityTokenKidnapping'srevengetimeCliConclusionsIntroductionIntroductionIhllWidiLlInthepastallWindowsservicesranasLocalSYSTEMaccountff–Compromiseofaservice==fullsystemcompromiseThenMSintroducedNETWORKSERVICEandLOCALSERVICEaccounts–Compromiseofaservice!
=fullsystemcompromiseWindowsVista,Windows2008andWindows7introducednewprotectionsFirstTokenKidnappingissueswerefixed,butaswearegoingtoseeWindowsisstillnotperfect.
.
.
ggpWhatisimpersonationandwhataretokensImpersonationistheabilityofathreadtoexecuteusingdifferentsecurityinformationthantheprocessthatownsthethread–ACLchecksaredoneagainsttheimpersonatedusers–ImpersonationAPIs:ImpersonateNamedPipeClient(),ImpersonateLoggedOnUser(),RpcImpersonateClient()Itilbdbith–Impersonationcanonlybedonebyprocesseswith"Impersonateaclientafterauthentication"(SeImpersonatePrivilege)(pg)–WhenathreadimpersonatesithasanassociatedimpersonationtokenWhatisimpersonationandwhataretokensAccesstokenisaWindowsobjectthatdescribesthesecuritycontextofaprocessorthread–Itincludestheidentityandprivilegesoftheuseraccountassociatedwiththeprocessorthread–TheycanbePrimaryorImpersonationtokensPrimaryarethosethatareassignedtoprocessesImpersonationarethosethatcanbegetwhenimpersonationoccursimpersonationoccurs–Fourimpersonationlevels:SecurityAnonymous,SecurityIdentity,SecurityImpersonation,yy,yp,SecurityDelegationWindowsXPand2003servicessecurityServicesrununderNetworkService,LocalService,LocalSystemanduseraccounts,y–AllservicescanimpersonateFixedweaknessesFixedweaknesses–AprocessrunningunderXaccountcouldaccessprocessesrunningunderthesameXaccountpgAfterfixes–RPCSSandafewservicesthatimpersonateSYSTEMRPCSSandafewservicesthatimpersonateSYSTEMaccountarenowproperlyprotected–WMIprocessesareprotectednowWindowsVista,2008and7servicessecurityPerserviceSID(newprotection)–Nicefeature,nowserviceprocessesarereallyttdditbdprotectedanditsresourcescanbearmouredFixedweaknessesinWindowsVistaand2008–Whileregularthreadswereproperlyprotected,threadsfromthreadpoolswerenotWMIpocessesnningndeLOCALSERVICEand–WMIprocessesrunningunderLOCALSERVICEandNETWORKSERVICEwerenotprotectedAfterfixesAfterfixes–ThreadsfromthreadpoolsareproperlyprotectedWMIprocessesareprotectednow–WMIprocessesareprotectednowTokenKidnapping'srevengetimeFirstIfoundthatTapiservicehadprocesshandleswithduplicatehandlepermissionsThenIstartedtoexaminetheTapiservice–FoundweakregistrypermissionsHKLM\SOFTWARE\Microsoft\TracingHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephonyelephony–FoundlineAddProvider()API,NetworkServiceandLocalServiceaccountscanloadarbitrarydllsandLocalServiceaccountscanloadarbitrarydllsTapiservicerunsasSysteminWindows2003–FoundthatTracingfunctionalityisusedbymostFoundthatTracingfunctionalityisusedbymostservices,includingservicesrunningasSystemTokenKidnapping'srevengetimePreviousfindingsleadtootherinterestingfindingsinWindows2003g–WhenWMIisinvoked,DCOMLaunchservicereadsNetworkandLocalServiceusersregistrykeysIfvaluesarefoundthenHKCRkeysarenotusedAllowsWMIprocessprotectionbypassFinallyIcouldelevateprivilegesfromLl/NtkSiillWidiLocal/NetworkServiceinallWindowsversionsandbypassprotectionsTokenKidnapping'srevengetimeWindows2003IIS6&SQLServerexploits–BypassWMIprotectionBypassWMIprotectionWindows2008andWindows7IIS7.
5exploitsExploitweakregistrypermissions–ExploitweakregistrypermissionsRecomendationsRecomendations–OnIISdon'trunASP.
NETinfulltrustanddon'trunwebsitesunderNetworkServiceorLocalServiceaccountsaccounts–AvoidrunningservicesunderNetworkServiceorLocalServiceaccountsLocalServiceaccountsUseregularuseraccountstorunservicesRemoveUsersgroupfromRemoveUsersgroupfromHKLM\Software\Microsoft\TracingregistrykeypermissionspDisableTelephonyserviceFixesFixes–OnAugustMicrosoftisreleasingafixforHKLM\Software\Microsoft\TracingregistrykeypermissionsissueandarelatedelevationofpermissionsissueandarelatedelevationofprivilegesvulnerabilityMicrosoftisalsoreleasinganadvisorytoaddress–MicrosoftisalsoreleasinganadvisorytoaddressTAPI,WMIandsharedregistrykeysrelatedissuesConclusionsConclusionsNewWindowsversionsaremoresecurebuttherearestillsomeissueseasytofindFindingvulnerabilitiesisnotdifficultifyouknowwhattoolstouseandweretolookforOnWindowsXPandWindows2003–IfausercanexecutecodeunderNetworkServiceausecaeecutecodeudeetoSeceorLocalServiceaccountUsercanexecutecodeasSYSTEMOnWindows7,Vistaand2008–IfausercanimpersonateIfausercanimpersonateUsercanexecutecodeasSYSTEMReferencesReferencesTokenKidnappinghttp://www.
argeniss.
com/research/TokenKidnapping.
pdfImpersonateaclientafterauthenticationhttp://support.
microsoft.
com/kb/821546Accesstokenshttp://msdn2.
microsoft.
com/en-us/library/aa374909.
aspxProcessExplorerandProcessMonitorhttp://www.
sysinternals.
comAPIImpersonationFunctionshttp://msdn.
microsoft.
com/en-us/library/cc246062(PROT.
10).
aspxFinFinQuestionsQuestionsThanksContact:cesar>atdotargeniss.
com

湖北50G防御物理服务器( 199元/月 ),国内便宜的高防服务器

4324云是成立于2012年的老牌商家,主要经营国内服务器资源,是目前国内实力很强的商家,从价格上就可以看出来商家实力,这次商家给大家带来了全网最便宜的物理服务器。只能说用叹为观止形容。官网地址 点击进入由于是活动套餐 本款产品需要联系QQ客服 购买 QQ 800083597 QQ 2772347271CPU内存硬盘带宽IP防御价格e5 2630 12核16GBSSD 500GB​30M​1个IP...

提速啦香港独立物理服务器E3 16G 20M 5IP 299元

提速啦(www.tisula.com)是赣州王成璟网络科技有限公司旗下云服务器品牌,目前拥有在籍员工40人左右,社保在籍员工30人+,是正规的国内拥有IDC ICP ISP CDN 云牌照资质商家,2018-2021年连续4年获得CTG机房顶级金牌代理商荣誉 2021年赣州市于都县创业大赛三等奖,2020年于都电子商务示范企业,2021年于都县电子商务融合推广大使。资源优势介绍:Ceranetwo...

BuyVM($5/月)不限流量流媒体优化VPS主机 1GB内存

BuyVM商家属于比较老牌的服务商,早年有提供低价年付便宜VPS主机还记得曾经半夜的时候抢购的。但是由于这个商家风控非常严格,即便是有些是正常的操作也会导致被封账户,所以后来陆续无人去理睬,估计被我们风控的抢购低价VPS主机已经手足无措。这两年商家重新调整,而且风控也比较规范,比如才入手他们新上线的流媒体优化VPS主机也没有不适的提示。目前,BuyVM商家有提供新泽西、迈阿密等四个机房的VPS主机...

windows7系统怎么安装为你推荐
解压程序手机怎么解压文件网页解密急急急~~谁知道怎么让所有的网页都设密码?以及破解的办法啊? 谢谢了谁帮帮我啊深圳公交车路线深圳公交线路中国论坛大全中国十大网站是?公章制作在WOLD里怎样制作公章镜像文件是什么镜像文件是什么意思?硬盘人硬盘是指什么人开机滚动条谁会调开机的滚动条ejb开发EJB是啥玩意了安全漏洞web安全漏洞有哪些
短域名 提供香港vps 工信部域名备案 重庆服务器托管 瓦工 新世界机房 ix主机 私人服务器 128m内存 谷歌香港 iis安装教程 好玩的桌面 服务器怎么绑定域名 青果网 长沙服务器 云鼎网络 hkg 双11秒杀 速度云 支付宝扫码领红包 更多