Impersonatewindows
windows7系统怎么安装 时间:2021-03-01 阅读:()
TokenTokenKidnapping'sRevengeCesarCerrudoArgenissWhoamIWhoamIAiFddCEOArgenissFounderandCEOIhavebeenworkingonsecurityfor+8yearsIhavefoundandhelpedtofixhundredsofvulnerabilitiesinsoftwaresuchasMSWindows,MSSQLServer,OracleDatabaseServer,IBMDB2,andmanymore.
.
.
+50vulnerabilitiesfoundonMSproducts(+20onWindowsoperatingsystems)IhaveresearchedandcreatednovelattacksandexploitationtechniquesAgendaAgendaIntroductionWhatisimpersonationandwhataretokensWindowsXPand2003servicessecurityWindows7Vistaand2008servicessecurityWindows7,Vistaand2008servicessecurityTokenKidnapping'srevengetimeCliConclusionsIntroductionIntroductionIhllWidiLlInthepastallWindowsservicesranasLocalSYSTEMaccountff–Compromiseofaservice==fullsystemcompromiseThenMSintroducedNETWORKSERVICEandLOCALSERVICEaccounts–Compromiseofaservice!
=fullsystemcompromiseWindowsVista,Windows2008andWindows7introducednewprotectionsFirstTokenKidnappingissueswerefixed,butaswearegoingtoseeWindowsisstillnotperfect.
.
.
ggpWhatisimpersonationandwhataretokensImpersonationistheabilityofathreadtoexecuteusingdifferentsecurityinformationthantheprocessthatownsthethread–ACLchecksaredoneagainsttheimpersonatedusers–ImpersonationAPIs:ImpersonateNamedPipeClient(),ImpersonateLoggedOnUser(),RpcImpersonateClient()Itilbdbith–Impersonationcanonlybedonebyprocesseswith"Impersonateaclientafterauthentication"(SeImpersonatePrivilege)(pg)–WhenathreadimpersonatesithasanassociatedimpersonationtokenWhatisimpersonationandwhataretokensAccesstokenisaWindowsobjectthatdescribesthesecuritycontextofaprocessorthread–Itincludestheidentityandprivilegesoftheuseraccountassociatedwiththeprocessorthread–TheycanbePrimaryorImpersonationtokensPrimaryarethosethatareassignedtoprocessesImpersonationarethosethatcanbegetwhenimpersonationoccursimpersonationoccurs–Fourimpersonationlevels:SecurityAnonymous,SecurityIdentity,SecurityImpersonation,yy,yp,SecurityDelegationWindowsXPand2003servicessecurityServicesrununderNetworkService,LocalService,LocalSystemanduseraccounts,y–AllservicescanimpersonateFixedweaknessesFixedweaknesses–AprocessrunningunderXaccountcouldaccessprocessesrunningunderthesameXaccountpgAfterfixes–RPCSSandafewservicesthatimpersonateSYSTEMRPCSSandafewservicesthatimpersonateSYSTEMaccountarenowproperlyprotected–WMIprocessesareprotectednowWindowsVista,2008and7servicessecurityPerserviceSID(newprotection)–Nicefeature,nowserviceprocessesarereallyttdditbdprotectedanditsresourcescanbearmouredFixedweaknessesinWindowsVistaand2008–Whileregularthreadswereproperlyprotected,threadsfromthreadpoolswerenotWMIpocessesnningndeLOCALSERVICEand–WMIprocessesrunningunderLOCALSERVICEandNETWORKSERVICEwerenotprotectedAfterfixesAfterfixes–ThreadsfromthreadpoolsareproperlyprotectedWMIprocessesareprotectednow–WMIprocessesareprotectednowTokenKidnapping'srevengetimeFirstIfoundthatTapiservicehadprocesshandleswithduplicatehandlepermissionsThenIstartedtoexaminetheTapiservice–FoundweakregistrypermissionsHKLM\SOFTWARE\Microsoft\TracingHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephonyelephony–FoundlineAddProvider()API,NetworkServiceandLocalServiceaccountscanloadarbitrarydllsandLocalServiceaccountscanloadarbitrarydllsTapiservicerunsasSysteminWindows2003–FoundthatTracingfunctionalityisusedbymostFoundthatTracingfunctionalityisusedbymostservices,includingservicesrunningasSystemTokenKidnapping'srevengetimePreviousfindingsleadtootherinterestingfindingsinWindows2003g–WhenWMIisinvoked,DCOMLaunchservicereadsNetworkandLocalServiceusersregistrykeysIfvaluesarefoundthenHKCRkeysarenotusedAllowsWMIprocessprotectionbypassFinallyIcouldelevateprivilegesfromLl/NtkSiillWidiLocal/NetworkServiceinallWindowsversionsandbypassprotectionsTokenKidnapping'srevengetimeWindows2003IIS6&SQLServerexploits–BypassWMIprotectionBypassWMIprotectionWindows2008andWindows7IIS7.
5exploitsExploitweakregistrypermissions–ExploitweakregistrypermissionsRecomendationsRecomendations–OnIISdon'trunASP.
NETinfulltrustanddon'trunwebsitesunderNetworkServiceorLocalServiceaccountsaccounts–AvoidrunningservicesunderNetworkServiceorLocalServiceaccountsLocalServiceaccountsUseregularuseraccountstorunservicesRemoveUsersgroupfromRemoveUsersgroupfromHKLM\Software\Microsoft\TracingregistrykeypermissionspDisableTelephonyserviceFixesFixes–OnAugustMicrosoftisreleasingafixforHKLM\Software\Microsoft\TracingregistrykeypermissionsissueandarelatedelevationofpermissionsissueandarelatedelevationofprivilegesvulnerabilityMicrosoftisalsoreleasinganadvisorytoaddress–MicrosoftisalsoreleasinganadvisorytoaddressTAPI,WMIandsharedregistrykeysrelatedissuesConclusionsConclusionsNewWindowsversionsaremoresecurebuttherearestillsomeissueseasytofindFindingvulnerabilitiesisnotdifficultifyouknowwhattoolstouseandweretolookforOnWindowsXPandWindows2003–IfausercanexecutecodeunderNetworkServiceausecaeecutecodeudeetoSeceorLocalServiceaccountUsercanexecutecodeasSYSTEMOnWindows7,Vistaand2008–IfausercanimpersonateIfausercanimpersonateUsercanexecutecodeasSYSTEMReferencesReferencesTokenKidnappinghttp://www.
argeniss.
com/research/TokenKidnapping.
pdfImpersonateaclientafterauthenticationhttp://support.
microsoft.
com/kb/821546Accesstokenshttp://msdn2.
microsoft.
com/en-us/library/aa374909.
aspxProcessExplorerandProcessMonitorhttp://www.
sysinternals.
comAPIImpersonationFunctionshttp://msdn.
microsoft.
com/en-us/library/cc246062(PROT.
10).
aspxFinFinQuestionsQuestionsThanksContact:cesar>atdotargeniss.
com
.
.
+50vulnerabilitiesfoundonMSproducts(+20onWindowsoperatingsystems)IhaveresearchedandcreatednovelattacksandexploitationtechniquesAgendaAgendaIntroductionWhatisimpersonationandwhataretokensWindowsXPand2003servicessecurityWindows7Vistaand2008servicessecurityWindows7,Vistaand2008servicessecurityTokenKidnapping'srevengetimeCliConclusionsIntroductionIntroductionIhllWidiLlInthepastallWindowsservicesranasLocalSYSTEMaccountff–Compromiseofaservice==fullsystemcompromiseThenMSintroducedNETWORKSERVICEandLOCALSERVICEaccounts–Compromiseofaservice!
=fullsystemcompromiseWindowsVista,Windows2008andWindows7introducednewprotectionsFirstTokenKidnappingissueswerefixed,butaswearegoingtoseeWindowsisstillnotperfect.
.
.
ggpWhatisimpersonationandwhataretokensImpersonationistheabilityofathreadtoexecuteusingdifferentsecurityinformationthantheprocessthatownsthethread–ACLchecksaredoneagainsttheimpersonatedusers–ImpersonationAPIs:ImpersonateNamedPipeClient(),ImpersonateLoggedOnUser(),RpcImpersonateClient()Itilbdbith–Impersonationcanonlybedonebyprocesseswith"Impersonateaclientafterauthentication"(SeImpersonatePrivilege)(pg)–WhenathreadimpersonatesithasanassociatedimpersonationtokenWhatisimpersonationandwhataretokensAccesstokenisaWindowsobjectthatdescribesthesecuritycontextofaprocessorthread–Itincludestheidentityandprivilegesoftheuseraccountassociatedwiththeprocessorthread–TheycanbePrimaryorImpersonationtokensPrimaryarethosethatareassignedtoprocessesImpersonationarethosethatcanbegetwhenimpersonationoccursimpersonationoccurs–Fourimpersonationlevels:SecurityAnonymous,SecurityIdentity,SecurityImpersonation,yy,yp,SecurityDelegationWindowsXPand2003servicessecurityServicesrununderNetworkService,LocalService,LocalSystemanduseraccounts,y–AllservicescanimpersonateFixedweaknessesFixedweaknesses–AprocessrunningunderXaccountcouldaccessprocessesrunningunderthesameXaccountpgAfterfixes–RPCSSandafewservicesthatimpersonateSYSTEMRPCSSandafewservicesthatimpersonateSYSTEMaccountarenowproperlyprotected–WMIprocessesareprotectednowWindowsVista,2008and7servicessecurityPerserviceSID(newprotection)–Nicefeature,nowserviceprocessesarereallyttdditbdprotectedanditsresourcescanbearmouredFixedweaknessesinWindowsVistaand2008–Whileregularthreadswereproperlyprotected,threadsfromthreadpoolswerenotWMIpocessesnningndeLOCALSERVICEand–WMIprocessesrunningunderLOCALSERVICEandNETWORKSERVICEwerenotprotectedAfterfixesAfterfixes–ThreadsfromthreadpoolsareproperlyprotectedWMIprocessesareprotectednow–WMIprocessesareprotectednowTokenKidnapping'srevengetimeFirstIfoundthatTapiservicehadprocesshandleswithduplicatehandlepermissionsThenIstartedtoexaminetheTapiservice–FoundweakregistrypermissionsHKLM\SOFTWARE\Microsoft\TracingHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephonyelephony–FoundlineAddProvider()API,NetworkServiceandLocalServiceaccountscanloadarbitrarydllsandLocalServiceaccountscanloadarbitrarydllsTapiservicerunsasSysteminWindows2003–FoundthatTracingfunctionalityisusedbymostFoundthatTracingfunctionalityisusedbymostservices,includingservicesrunningasSystemTokenKidnapping'srevengetimePreviousfindingsleadtootherinterestingfindingsinWindows2003g–WhenWMIisinvoked,DCOMLaunchservicereadsNetworkandLocalServiceusersregistrykeysIfvaluesarefoundthenHKCRkeysarenotusedAllowsWMIprocessprotectionbypassFinallyIcouldelevateprivilegesfromLl/NtkSiillWidiLocal/NetworkServiceinallWindowsversionsandbypassprotectionsTokenKidnapping'srevengetimeWindows2003IIS6&SQLServerexploits–BypassWMIprotectionBypassWMIprotectionWindows2008andWindows7IIS7.
5exploitsExploitweakregistrypermissions–ExploitweakregistrypermissionsRecomendationsRecomendations–OnIISdon'trunASP.
NETinfulltrustanddon'trunwebsitesunderNetworkServiceorLocalServiceaccountsaccounts–AvoidrunningservicesunderNetworkServiceorLocalServiceaccountsLocalServiceaccountsUseregularuseraccountstorunservicesRemoveUsersgroupfromRemoveUsersgroupfromHKLM\Software\Microsoft\TracingregistrykeypermissionspDisableTelephonyserviceFixesFixes–OnAugustMicrosoftisreleasingafixforHKLM\Software\Microsoft\TracingregistrykeypermissionsissueandarelatedelevationofpermissionsissueandarelatedelevationofprivilegesvulnerabilityMicrosoftisalsoreleasinganadvisorytoaddress–MicrosoftisalsoreleasinganadvisorytoaddressTAPI,WMIandsharedregistrykeysrelatedissuesConclusionsConclusionsNewWindowsversionsaremoresecurebuttherearestillsomeissueseasytofindFindingvulnerabilitiesisnotdifficultifyouknowwhattoolstouseandweretolookforOnWindowsXPandWindows2003–IfausercanexecutecodeunderNetworkServiceausecaeecutecodeudeetoSeceorLocalServiceaccountUsercanexecutecodeasSYSTEMOnWindows7,Vistaand2008–IfausercanimpersonateIfausercanimpersonateUsercanexecutecodeasSYSTEMReferencesReferencesTokenKidnappinghttp://www.
argeniss.
com/research/TokenKidnapping.
pdfImpersonateaclientafterauthenticationhttp://support.
microsoft.
com/kb/821546Accesstokenshttp://msdn2.
microsoft.
com/en-us/library/aa374909.
aspxProcessExplorerandProcessMonitorhttp://www.
sysinternals.
comAPIImpersonationFunctionshttp://msdn.
microsoft.
com/en-us/library/cc246062(PROT.
10).
aspxFinFinQuestionsQuestionsThanksContact:cesar>atdot
com
- Impersonatewindows相关文档
- 安装windows7系统怎么安装
- 产品windows7系统怎么安装
- 安装windows7系统怎么安装
- 计算机windows7系统怎么安装
- 连接windows7系统怎么安装
- 安装windows7系统怎么安装
月神科技 国内上新成都高防 全场八折促销续费同价!
月神科技是由江西月神科技有限公司运营的一家自营云产品的IDC服务商,提供香港安畅、香港沙田、美国CERA、成都电信等机房资源,月神科技有自己的用户群和拥有创宇认证,并且也有电商企业将业务架设在月神科技的平台上。本次带来的是全场八折促销,续费同价。并且上新了国内成都高防服务器,单机100G集群1.2T真实防御,上层屏蔽UDP,可定制CC策略。非常适合网站用户。官方网站:https://www.ysi...
friendhosting:(优惠55%)大促销,全场VPS降价55%,9个机房,不限流量
每年的7月的最后一个周五是全球性质的“系统管理员日”,据说是为了感谢系统管理员的辛苦工作....friendhosting决定从现在开始一直到9月8日对其全球9个数据中心的VPS进行4.5折(优惠55%)大促销。所有VPS基于KVM虚拟,给100M带宽,不限制流量,允许自定义上传ISO...官方网站:https://friendhosting.net比特币、信用卡、PayPal、支付宝、微信、we...
亚洲云Asiayu,成都云服务器 4核4G 30M 120元一月
点击进入亚云官方网站(www.asiayun.com)公司名:上海玥悠悠云计算有限公司成都铂金宿主机IO测试图亚洲云Asiayun怎么样?亚洲云Asiayun好不好?亚云由亚云团队运营,拥有ICP/ISP/IDC/CDN等资质,亚云团队成立于2018年,经过多次品牌升级。主要销售主VPS服务器,提供云服务器和物理服务器,机房有成都、美国CERA、中国香港安畅和电信,香港提供CN2 GIA线路,CE...
windows7系统怎么安装为你推荐
-
可以发外链的论坛给几个可以发外链的论坛,还有分类信息网,不要有限制的哪种,收录不收录无所谓怎么在qq空间里添加背景音乐如何在qq空间中添加背景音乐1433端口怎么去看1433端口百度手写百度手写怎么不见了qq怎么发邮件用QQ怎样发送文件安装迅雷看看播放器迅雷看看不能播放,说我尚未安装迅雷看看播放器mate8价格华为mate8手机参数配置如何,多少元商标注册查询官网怎么查商标有没有注册机械键盘轴机械键盘什么轴好,机械键盘轴有几种什么是云平台谁能简单说一下什么是云平台啊?