This workshop will go through an introduction to finding and exploiting logical privilege escalation vulnerabilities on Windows. More and more code running on Windows is done inside sandboxes or as non-administrators. This makes privilege escalation more important than ever. Memory corruptions are a common way of gaining higher privileges but Windows has been introducing more mitigations making exploitation harder. Logical vulnerabilities on the other hand are typically not affected by mitigations such as ASLR or DEP, but they’re generally more difficult to find. As an added complication they cannot be easily discovered through typical fuzzing approaches. Some of the topics to be presented will be:
Windows Internals as relevant to privilege escalation Types of sandboxes, restricted and low box tokens Under the hood Attack surface analysis: Probing the sandbox and the system COM services Exposed device drivers File and registry vulnerabilities How to find them and what to look for Exploitation Token vulnerabilities How to find them and what to look for Exploitation UAC and unusual unfixed vulnerabilities Working examples of based on previous vulnerabilities Attendees are welcome to participate through the workshop by having access to a Windows 10 32 bit VM installation. Access to all tools and examples demonstrated on the day will be provided.