Attackers hope getting administrator privileges always. If they had get it, they can do anything. Therefore, they try to get administrator privileges in various ways, such as account stealing, privilege escalation, UAC bypass. I have found one way to escalate privileges to administrator without using vulnerability. I hope you to see the demo, understand the mechanism, and prepare against the attacks.
The Codex of Business Writing Software for Real-World Solutions 2.pptx
How to escalate privileges to administrator in latest Windows.
1. How to escalate privileges to
administrator in latest Windows.
BSides Las Vegas 2017
July 25, 2017
Soya Aoyama
2. Who I am
• Soya Aoyama
• Fujitsu System Integration Laboratories Limited
• First Presentation : AVTOKYO 2016
2
3. Do you want administrator privileges?
• Steal administrator accounts
• Mimikatz, PwDump, CacheDump, …
• Attack system vulnerabilities
• CVE-2017-0156, 0158, 0165, 0166, 0189, 0211, …
• Use Windows 10 weakness
• UAC bypass, IFileOperation , …
3
4. A year ago…
4
• I submitted to Microsoft's bounty program.
I decided to make it in public.
5. I found…
5
• CompMgmtLauncher loads a third party DLL
• Requirement : Registered in the following registry
HKEY_LOCAL_MACHINE
SOFTWARE
Classes
*
shellex
ContextMenuHandlers
CompMgmtLauncher.exe
System Process
xxx.dll
Third Party Program
CompMgmtLauncher.exe
System File
2.Escalate to Administrator 3.Load
1.Launch
problem
8. During the demonstration…
8
• You need administrator privileges to access the file.
I found a means to solve this issue.
9. OneDrive helps to solve the problem
9
• Explorer loads a OneDrive DLL
• The OneDrive program is located in the following
• You can use IFileOperation API in Explorer
%UserProfile%
¥AppData
¥Local
¥Microsoft
¥OneDrive
Explorer.exe
System Process
FileSyncShell64.dll
OneDrive Program
Explorer.exe
System File
2.Load1.System Start
problem
You can access to administrator’s owned files.
13. Bad news
13
• This fixed in Build 15063.(Creators Update)
• CompMgmtLauncher still loads a third party dll.
• CompMgmtLauncher does not escalate to administrator privileges.
Microsoft does not want to pay me the reward.