System services have always been an important component of Windows 10. In recent years, there have been quite a few privilege escalation vulnerabilities in them.
At present, we can effectively automate the testing of memory corruption vulnerabilities by building fuzzers, but the discovery of logical vulnerabilities still relies more on manual inspection, and automated discovery has always been the goal to achieve.
File privilege escalation is an important part of those bugs, if an attacker could gain full control of any file, they are able write shellcode into things like DLLs, then a system privilege process is created. After analyzing and summarizing the characteristics of historic vulnerability, I found there is a silver bullet to discover file privilege escalation bugs, and maybe there is a way to build a system based on it, so that's what I do next.
I will share my full, in-depth details on this research. In this presentation, I will start from a historical bug analysis, then share the methodology about how I start this work with minimum knowledge as a web security researcher and knowing little about windows internal.
I will explain the inner working of this technique about how I analyzed Advanced Local Procedure Call (ALPC), found new attack surfaces, and did some hot patches to make process monitor a command line tool to detect sensitive operation, make them combined together in a system, which could discover file privilege escalation bugs automatically. Also, will show some advanced skills about how I exploit those vulnerabilities, bypass the security check, and play with impersonation.
Finally, I will talk about 4 new vulnerabilities found in one week, which could successfully perform local privilege escalation in windows 10 1803/1809, including one arbitrary file-read bug, one arbitrary file-delete bug, and two arbitrary file DACL rewrite bugs, which could get full control of any file with system privilege.
Wenxu Wu (@Ma7h1as) is a security researcher at Xuanwu Lab of Tencent and is a former CTF player from XDSEC/L-Team. He is passionate about vulnerability research.