Hacking Windows in Software

Creator QR Code in Software Hacking Windows

Think about this attack next time you re passing through a zone of heavy wireless access point beaconing, such as a crowded metropolitan area or major airport Every one of those available wireless networks you see could ve already rooted your machine

The most obvious way to reduce risk for device driver attacks is to apply vendor patches as soon as possible The other option is to disable the affected functionality (device) in high-risk environments For example, in the case of the wireless network driver attacks described previously, we recommend turning off your wireless networking radio while passing through areas with high concentrations of access points Most laptop vendors provide an external hardware switch for this Of course, you lose device functionality with this countermeasure, so it s not very helpful if you need to use the device in question (and in the case of wireless connectivity, you almost always need it on in most cases) Microsoft has recognized this issue by providing for driver signing in more recent versions of Windows; in fact, 64-bit versions of Vista and Server 2008 require trusted signatures on kernel-mode software (see http://wwwmicrosoftcom/whdc/winlogo/ drvsign/drvsignmspx) Of course, driver signing makes the long-held assumption that signed code is well-constructed code and provides no real assurances that security flaws like buffer overflows don t still exist in the code So, the impact of code signing on device driver exploits remains to be seen In the future, approaches like Microsoft s User-Mode Driver Framework (UMDF) may provide greater mitigation for this class of vulnerabilities (see http://enwikipedia org/wiki/User-Mode_Driver_Framework) The idea behind UMDF is to provide a dedicated API through which low-privileged user-mode drivers can access the kernel in well-defined ways Thus, even if the driver has a security vulnerability that is exploited, the resulting impact to the system is much lower than would be the case with a traditional kernel-mode driver

So far we ve illustrated the most commonly used tools and techniques for obtaining some level of access to a Windows system These mechanisms typically result in varying degrees of privilege on the target system, from Guest to SYSTEM Regardless of the degree of privilege attained, however, the first conquest in any Windows environment is typically only the beginning of a much longer campaign This section details how the rest of the war is waged once the first system falls, and the initial battle is won

Once attackers have obtained a user account on a Windows system, they will set their eyes immediately on obtaining Administrator- or SYSTEM-equivalent privileges One of

the all-time greatest hacks of Windows was the so-called getadmin family of exploits (see http://wwwwindowsitsecuritycom/Articles/Indexcfm ArticleID=9231) Getadmin was the first serious privilege escalation attack against Windows NT4, and although that specific attack has been patched (post NT4 SP3), the basic technique by which it works, DLL injection, lives on and is still used effectively today The power of getadmin was muted somewhat by the fact that it must be run by an interactive user on the target system, as must most privilege-escalation attacks Because most users cannot log on interactively to a Windows server by default, it is really only useful to rogue members of the various built-in Operators groups (Account, Backup, Server, and so on) and the default Internet server account, IUSR_machinename, who have this privilege If malicious individuals have the interactive logon privilege on your server already, privilege escalation exploits aren t going to make things much worse They already have access to just about anything else they d want The Windows architecture still has a difficult time preventing interactively loggedon accounts from escalating privileges, due mostly to the diversity and complexity of the Windows interactive login environment (see, for example, http://blogstechnetcom/ askperf/archive/2007/07/24/sessions-desktops-and-windows-stationsaspx) Even worse, interactive logon has become much more widespread as Windows Terminal Server has assumed the mantle of remote management and distributed processing workhorse Finally, it is important to consider that the most important vector for privilege escalation for Internet client systems is web browsing and e-mail processing, as we noted earlier and will discuss again in 12 We ll also discuss the classic supra-system privilege escalation exploit LSADump later in this chapter Finally, we should note that obtaining Administrator status is not technically the highest privilege one can obtain on a Windows machine The SYSTEM account (also known as the Local System, or NT AUTHORITY\SYSTEM account) actually accrues more privilege than Administrator However, there are a few common tricks to allow administrators to attain SYSTEM privileges quite easily One is to open a command shell using the Windows Scheduler service as follows: