finding privesc with procmon - bordplate · dacl permissions overwrite privilege escalation...
TRANSCRIPT
![Page 1: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/1.jpg)
Vetle Økland
FINDING PRIVESC WITH PROCMON
![Page 2: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/2.jpg)
::1
• Pentester @ Nagarro
• Live here in Oslo
• Too young to understand why Windows does anything
• Twitter: @bordplate
• Blog: https://bordplate.no/blog/en
![Page 3: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/3.jpg)
What is Procmon?Process Monitor
![Page 4: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/4.jpg)
![Page 5: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/5.jpg)
Boot logging
• Consider disabling anti-virus scanning for smaller log files
![Page 6: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/6.jpg)
What are we looking for?
![Page 7: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/7.jpg)
![Page 8: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/8.jpg)
Image from: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed
![Page 9: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/9.jpg)
![Page 10: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/10.jpg)
![Page 11: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/11.jpg)
Paths and Files• PATH NOT FOUND
• NAME NOT FOUND
Both of these in a user-writable folder indicate you can influence the program.
Will wary based on file type and the program handling the files.
Image from a vulnerability found by Florian Bogner at bogner.sh: https://bogner.sh/2018/02/local-privilege-escalation-in-crashplans-windows-client/
![Page 12: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/12.jpg)
SetSecurityFile / Permission Overwrite
CVE-2019-8452 – Permission Overwrite
![Page 13: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/13.jpg)
Hard links to any file
• Courtesy of James Forshaw from Google’s Project Zero
• Normal mklink tool does not allow hard links to files you don’t have write-access to
• ZwSetInformationFile does not enforce that check
• CreateHardLinkW does however
• Native-HardLink.ps1 from https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Native-HardLink.ps1 by @fuzzysec (Ruben Boonen)
![Page 14: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/14.jpg)
Unquoted service paths
![Page 15: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/15.jpg)
DLL search order hijacking
![Page 16: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/16.jpg)
Configuration
• Need to have local admin
![Page 17: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/17.jpg)
Useful filters
• SYSTEM
• NAME NOT FOUND / PATH NOT FOUND
• SetSecurityFilter (by its own)
![Page 18: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/18.jpg)
Exporting for other tools
• Exports to CSV and XML
• Exporting for XML with stack traces can create *really* big files
![Page 19: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/19.jpg)
Exploring in Procmon
![Page 20: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/20.jpg)
![Page 21: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/21.jpg)
![Page 22: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/22.jpg)
![Page 23: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/23.jpg)
![Page 24: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/24.jpg)
![Page 25: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/25.jpg)
![Page 26: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/26.jpg)
![Page 27: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/27.jpg)
![Page 28: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/28.jpg)
![Page 29: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/29.jpg)
![Page 30: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/30.jpg)
![Page 31: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/31.jpg)
![Page 32: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/32.jpg)
Hunting in registry
• Not seen any potential for abuse
• Include SYSTEM user
• Exclude starting with HKLM and HKCU
![Page 33: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/33.jpg)
AccessEnum
![Page 34: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/34.jpg)
![Page 35: Finding Privesc with Procmon - Bordplate · DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed. Paths and Files](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f84e0fed7091a00905c8652/html5/thumbnails/35.jpg)