Impersonatewindows
windows7系统怎么安装 时间:2021-03-01 阅读:()
TokenTokenKidnapping'sRevengeCesarCerrudoArgenissWhoamIWhoamIAiFddCEOArgenissFounderandCEOIhavebeenworkingonsecurityfor+8yearsIhavefoundandhelpedtofixhundredsofvulnerabilitiesinsoftwaresuchasMSWindows,MSSQLServer,OracleDatabaseServer,IBMDB2,andmanymore.
.
.
+50vulnerabilitiesfoundonMSproducts(+20onWindowsoperatingsystems)IhaveresearchedandcreatednovelattacksandexploitationtechniquesAgendaAgendaIntroductionWhatisimpersonationandwhataretokensWindowsXPand2003servicessecurityWindows7Vistaand2008servicessecurityWindows7,Vistaand2008servicessecurityTokenKidnapping'srevengetimeCliConclusionsIntroductionIntroductionIhllWidiLlInthepastallWindowsservicesranasLocalSYSTEMaccountff–Compromiseofaservice==fullsystemcompromiseThenMSintroducedNETWORKSERVICEandLOCALSERVICEaccounts–Compromiseofaservice!
=fullsystemcompromiseWindowsVista,Windows2008andWindows7introducednewprotectionsFirstTokenKidnappingissueswerefixed,butaswearegoingtoseeWindowsisstillnotperfect.
.
.
ggpWhatisimpersonationandwhataretokensImpersonationistheabilityofathreadtoexecuteusingdifferentsecurityinformationthantheprocessthatownsthethread–ACLchecksaredoneagainsttheimpersonatedusers–ImpersonationAPIs:ImpersonateNamedPipeClient(),ImpersonateLoggedOnUser(),RpcImpersonateClient()Itilbdbith–Impersonationcanonlybedonebyprocesseswith"Impersonateaclientafterauthentication"(SeImpersonatePrivilege)(pg)–WhenathreadimpersonatesithasanassociatedimpersonationtokenWhatisimpersonationandwhataretokensAccesstokenisaWindowsobjectthatdescribesthesecuritycontextofaprocessorthread–Itincludestheidentityandprivilegesoftheuseraccountassociatedwiththeprocessorthread–TheycanbePrimaryorImpersonationtokensPrimaryarethosethatareassignedtoprocessesImpersonationarethosethatcanbegetwhenimpersonationoccursimpersonationoccurs–Fourimpersonationlevels:SecurityAnonymous,SecurityIdentity,SecurityImpersonation,yy,yp,SecurityDelegationWindowsXPand2003servicessecurityServicesrununderNetworkService,LocalService,LocalSystemanduseraccounts,y–AllservicescanimpersonateFixedweaknessesFixedweaknesses–AprocessrunningunderXaccountcouldaccessprocessesrunningunderthesameXaccountpgAfterfixes–RPCSSandafewservicesthatimpersonateSYSTEMRPCSSandafewservicesthatimpersonateSYSTEMaccountarenowproperlyprotected–WMIprocessesareprotectednowWindowsVista,2008and7servicessecurityPerserviceSID(newprotection)–Nicefeature,nowserviceprocessesarereallyttdditbdprotectedanditsresourcescanbearmouredFixedweaknessesinWindowsVistaand2008–Whileregularthreadswereproperlyprotected,threadsfromthreadpoolswerenotWMIpocessesnningndeLOCALSERVICEand–WMIprocessesrunningunderLOCALSERVICEandNETWORKSERVICEwerenotprotectedAfterfixesAfterfixes–ThreadsfromthreadpoolsareproperlyprotectedWMIprocessesareprotectednow–WMIprocessesareprotectednowTokenKidnapping'srevengetimeFirstIfoundthatTapiservicehadprocesshandleswithduplicatehandlepermissionsThenIstartedtoexaminetheTapiservice–FoundweakregistrypermissionsHKLM\SOFTWARE\Microsoft\TracingHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephonyelephony–FoundlineAddProvider()API,NetworkServiceandLocalServiceaccountscanloadarbitrarydllsandLocalServiceaccountscanloadarbitrarydllsTapiservicerunsasSysteminWindows2003–FoundthatTracingfunctionalityisusedbymostFoundthatTracingfunctionalityisusedbymostservices,includingservicesrunningasSystemTokenKidnapping'srevengetimePreviousfindingsleadtootherinterestingfindingsinWindows2003g–WhenWMIisinvoked,DCOMLaunchservicereadsNetworkandLocalServiceusersregistrykeysIfvaluesarefoundthenHKCRkeysarenotusedAllowsWMIprocessprotectionbypassFinallyIcouldelevateprivilegesfromLl/NtkSiillWidiLocal/NetworkServiceinallWindowsversionsandbypassprotectionsTokenKidnapping'srevengetimeWindows2003IIS6&SQLServerexploits–BypassWMIprotectionBypassWMIprotectionWindows2008andWindows7IIS7.
5exploitsExploitweakregistrypermissions–ExploitweakregistrypermissionsRecomendationsRecomendations–OnIISdon'trunASP.
NETinfulltrustanddon'trunwebsitesunderNetworkServiceorLocalServiceaccountsaccounts–AvoidrunningservicesunderNetworkServiceorLocalServiceaccountsLocalServiceaccountsUseregularuseraccountstorunservicesRemoveUsersgroupfromRemoveUsersgroupfromHKLM\Software\Microsoft\TracingregistrykeypermissionspDisableTelephonyserviceFixesFixes–OnAugustMicrosoftisreleasingafixforHKLM\Software\Microsoft\TracingregistrykeypermissionsissueandarelatedelevationofpermissionsissueandarelatedelevationofprivilegesvulnerabilityMicrosoftisalsoreleasinganadvisorytoaddress–MicrosoftisalsoreleasinganadvisorytoaddressTAPI,WMIandsharedregistrykeysrelatedissuesConclusionsConclusionsNewWindowsversionsaremoresecurebuttherearestillsomeissueseasytofindFindingvulnerabilitiesisnotdifficultifyouknowwhattoolstouseandweretolookforOnWindowsXPandWindows2003–IfausercanexecutecodeunderNetworkServiceausecaeecutecodeudeetoSeceorLocalServiceaccountUsercanexecutecodeasSYSTEMOnWindows7,Vistaand2008–IfausercanimpersonateIfausercanimpersonateUsercanexecutecodeasSYSTEMReferencesReferencesTokenKidnappinghttp://www.
argeniss.
com/research/TokenKidnapping.
pdfImpersonateaclientafterauthenticationhttp://support.
microsoft.
com/kb/821546Accesstokenshttp://msdn2.
microsoft.
com/en-us/library/aa374909.
aspxProcessExplorerandProcessMonitorhttp://www.
sysinternals.
comAPIImpersonationFunctionshttp://msdn.
microsoft.
com/en-us/library/cc246062(PROT.
10).
aspxFinFinQuestionsQuestionsThanksContact:cesar>atdotargeniss.
com
.
.
+50vulnerabilitiesfoundonMSproducts(+20onWindowsoperatingsystems)IhaveresearchedandcreatednovelattacksandexploitationtechniquesAgendaAgendaIntroductionWhatisimpersonationandwhataretokensWindowsXPand2003servicessecurityWindows7Vistaand2008servicessecurityWindows7,Vistaand2008servicessecurityTokenKidnapping'srevengetimeCliConclusionsIntroductionIntroductionIhllWidiLlInthepastallWindowsservicesranasLocalSYSTEMaccountff–Compromiseofaservice==fullsystemcompromiseThenMSintroducedNETWORKSERVICEandLOCALSERVICEaccounts–Compromiseofaservice!
=fullsystemcompromiseWindowsVista,Windows2008andWindows7introducednewprotectionsFirstTokenKidnappingissueswerefixed,butaswearegoingtoseeWindowsisstillnotperfect.
.
.
ggpWhatisimpersonationandwhataretokensImpersonationistheabilityofathreadtoexecuteusingdifferentsecurityinformationthantheprocessthatownsthethread–ACLchecksaredoneagainsttheimpersonatedusers–ImpersonationAPIs:ImpersonateNamedPipeClient(),ImpersonateLoggedOnUser(),RpcImpersonateClient()Itilbdbith–Impersonationcanonlybedonebyprocesseswith"Impersonateaclientafterauthentication"(SeImpersonatePrivilege)(pg)–WhenathreadimpersonatesithasanassociatedimpersonationtokenWhatisimpersonationandwhataretokensAccesstokenisaWindowsobjectthatdescribesthesecuritycontextofaprocessorthread–Itincludestheidentityandprivilegesoftheuseraccountassociatedwiththeprocessorthread–TheycanbePrimaryorImpersonationtokensPrimaryarethosethatareassignedtoprocessesImpersonationarethosethatcanbegetwhenimpersonationoccursimpersonationoccurs–Fourimpersonationlevels:SecurityAnonymous,SecurityIdentity,SecurityImpersonation,yy,yp,SecurityDelegationWindowsXPand2003servicessecurityServicesrununderNetworkService,LocalService,LocalSystemanduseraccounts,y–AllservicescanimpersonateFixedweaknessesFixedweaknesses–AprocessrunningunderXaccountcouldaccessprocessesrunningunderthesameXaccountpgAfterfixes–RPCSSandafewservicesthatimpersonateSYSTEMRPCSSandafewservicesthatimpersonateSYSTEMaccountarenowproperlyprotected–WMIprocessesareprotectednowWindowsVista,2008and7servicessecurityPerserviceSID(newprotection)–Nicefeature,nowserviceprocessesarereallyttdditbdprotectedanditsresourcescanbearmouredFixedweaknessesinWindowsVistaand2008–Whileregularthreadswereproperlyprotected,threadsfromthreadpoolswerenotWMIpocessesnningndeLOCALSERVICEand–WMIprocessesrunningunderLOCALSERVICEandNETWORKSERVICEwerenotprotectedAfterfixesAfterfixes–ThreadsfromthreadpoolsareproperlyprotectedWMIprocessesareprotectednow–WMIprocessesareprotectednowTokenKidnapping'srevengetimeFirstIfoundthatTapiservicehadprocesshandleswithduplicatehandlepermissionsThenIstartedtoexaminetheTapiservice–FoundweakregistrypermissionsHKLM\SOFTWARE\Microsoft\TracingHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephonyelephony–FoundlineAddProvider()API,NetworkServiceandLocalServiceaccountscanloadarbitrarydllsandLocalServiceaccountscanloadarbitrarydllsTapiservicerunsasSysteminWindows2003–FoundthatTracingfunctionalityisusedbymostFoundthatTracingfunctionalityisusedbymostservices,includingservicesrunningasSystemTokenKidnapping'srevengetimePreviousfindingsleadtootherinterestingfindingsinWindows2003g–WhenWMIisinvoked,DCOMLaunchservicereadsNetworkandLocalServiceusersregistrykeysIfvaluesarefoundthenHKCRkeysarenotusedAllowsWMIprocessprotectionbypassFinallyIcouldelevateprivilegesfromLl/NtkSiillWidiLocal/NetworkServiceinallWindowsversionsandbypassprotectionsTokenKidnapping'srevengetimeWindows2003IIS6&SQLServerexploits–BypassWMIprotectionBypassWMIprotectionWindows2008andWindows7IIS7.
5exploitsExploitweakregistrypermissions–ExploitweakregistrypermissionsRecomendationsRecomendations–OnIISdon'trunASP.
NETinfulltrustanddon'trunwebsitesunderNetworkServiceorLocalServiceaccountsaccounts–AvoidrunningservicesunderNetworkServiceorLocalServiceaccountsLocalServiceaccountsUseregularuseraccountstorunservicesRemoveUsersgroupfromRemoveUsersgroupfromHKLM\Software\Microsoft\TracingregistrykeypermissionspDisableTelephonyserviceFixesFixes–OnAugustMicrosoftisreleasingafixforHKLM\Software\Microsoft\TracingregistrykeypermissionsissueandarelatedelevationofpermissionsissueandarelatedelevationofprivilegesvulnerabilityMicrosoftisalsoreleasinganadvisorytoaddress–MicrosoftisalsoreleasinganadvisorytoaddressTAPI,WMIandsharedregistrykeysrelatedissuesConclusionsConclusionsNewWindowsversionsaremoresecurebuttherearestillsomeissueseasytofindFindingvulnerabilitiesisnotdifficultifyouknowwhattoolstouseandweretolookforOnWindowsXPandWindows2003–IfausercanexecutecodeunderNetworkServiceausecaeecutecodeudeetoSeceorLocalServiceaccountUsercanexecutecodeasSYSTEMOnWindows7,Vistaand2008–IfausercanimpersonateIfausercanimpersonateUsercanexecutecodeasSYSTEMReferencesReferencesTokenKidnappinghttp://www.
argeniss.
com/research/TokenKidnapping.
pdfImpersonateaclientafterauthenticationhttp://support.
microsoft.
com/kb/821546Accesstokenshttp://msdn2.
microsoft.
com/en-us/library/aa374909.
aspxProcessExplorerandProcessMonitorhttp://www.
sysinternals.
comAPIImpersonationFunctionshttp://msdn.
microsoft.
com/en-us/library/cc246062(PROT.
10).
aspxFinFinQuestionsQuestionsThanksContact:cesar>atdot
com
- Impersonatewindows相关文档
- 安装windows7系统怎么安装
- 产品windows7系统怎么安装
- 安装windows7系统怎么安装
- 计算机windows7系统怎么安装
- 连接windows7系统怎么安装
- 安装windows7系统怎么安装
CloudCone中国新年特别套餐,洛杉矶1G内存VPS年付13.5美元起
CloudCone针对中国农历新年推出了几款特别套餐, 其中2019年前注册的用户可以以13.5美元/年的价格购买一款1G内存特价套餐,以及另外提供了两款不限制注册时间的用户可购买年付套餐。CloudCone是Quadcone旗下成立于2017年的子品牌,提供VPS及独立服务器租用,也是较早提供按小时计费VPS的商家之一,支持使用PayPal或者支付宝等付款方式。下面列出几款特别套餐配置信息。CP...
npidc:9元/月,cn2线路(不限流量)云服务器,金盾+天机+傲盾防御CC攻击,美国/香港/韩国
npidc全称No Problem Network Co.,Limited(冇問題(香港)科技有限公司,今年4月注册的)正在搞云服务器和独立服务器促销,数据中心有香港、美国、韩国,走CN2+BGP线路无视高峰堵塞,而且不限制流量,支持自定义内存、CPU、硬盘、带宽等,采用金盾+天机+傲盾防御系统拦截CC攻击,非常适合建站等用途。活动链接:https://www.npidc.com/act.html...
星梦云:四川100G高防4H4G10M月付仅60元
星梦云怎么样?星梦云资质齐全,IDC/ISP均有,从星梦云这边租的服务器均可以备案,属于一手资源,高防机柜、大带宽、高防IP业务,一手整C IP段,四川电信,星梦云专注四川高防服务器,成都服务器,雅安服务器。星梦云目前夏日云服务器促销,四川100G高防4H4G10M月付仅60元;西南高防月付特价活动,续费同价,买到就是赚到!点击进入:星梦云官方网站地址1、成都电信年中活动机(成都电信优化线路,封锁...
windows7系统怎么安装为你推荐
-
fontfamilyfont-family:"microsoft yahei",simhei; 这句到底设置为微软雅黑还是黑体,为什么写2个字体?手机游戏排行榜20152017手游排行榜前十名绵阳电信绵阳电信宽带套餐…具体点手游运营手册新浪无线 这个公司开发手机游戏吗?云播怎么看片云播影视怎么样?微信如何建群微信可以建立两个人的群吗?有一个是自己arm开发板arm开发板是干什么用的,是用在什么领域方面的arm开发板ARM开发板具体有什么作用?有什么商业价值?ps抠图技巧photoshop最基本的抠图方法和技巧!分词技术百度的中文分词原理是什么?与IK分词有区别吗?