Token Kidnappings presented at BlueHat 2008

by Cesar Cerrudo (Argeniss),

Tags: Security

Summary : This presentation is about a new technique for elevating privileges on Windows, mostly from services. This technique exploits design weaknesses in Microsoft Windows XP, Windows Server 2003, Windows Vista, and even Windows Server 2008.
The presentation will explain how itís possible in Windows XP and Windows Server 2003 to elevate privileges to LOCAL SYSTEM from any process that has impersonation rights, and how it's possible in Windows Vista and Windows Server 2008 to elevate privileges to LOCAL SYSTEM from processes running under NETWORK SERVICE and LOCAL SERVICE accounts, demonstrating that running code under NETWORK SERVICE or LOCAL SERVICE is nonsense since it's always possible to end up running code under LOCAL SYSTEM account. It will also show zero-day code for elevating privileges in SQL Server 2005 and Internet Information Services 6 and 7.