Abusing privileged file operations on Windows

This talk presents how some file operations by privileged processes can be abused to escalate privileges on Windows. It will summarize techniques to exploit such vulnerabilities on Windows, and walk through practical examples of actual bugs found and exploited in common software products.

This talk presents how some file operations performed by privileged processes can be abused to escalate privileges on Windows. It will summarize techniques to exploit such vulnerabilities on Windows, then walk through practical examples of actual bugs found and exploited in common software products.

The first part is a quick intro/recap of what this type of bug is: file operations by a privileged process on user-controllable filesystem resources. It will mention common tools that can be used to identify this type of bugs in privileged processes and assess their exploitability.

The talk will then describe various techniques available to exploit file operations from unprivileged user processes on NTFS filesystems: junctions/mount points, object manager symlinks, opportunistic locks and combinations of the above, summarizing previous research & tools by James Foreshaw.

The example of a privileged log file write – the typical bug for this bug class – is used to outline requirements and exploitation strategies for arbitrary file write bugs and which types of operations/conditions are typically exploitable.

The next part will focus on file operations performed by AVs, which are especially prone to file manipulation bugs in their file scanning/quarantine/delete/restore features. Through another example bug, it will show why file operations happening during quarantine are especially interesting, then give a few tips on exploiting arbitrary file deletion.

The conclusion will show some impacted software and bugs found during this research, and give some advice to vendors & defenders.

About the Speaker