intro to privilege elevation
TRANSCRIPT
![Page 1: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/1.jpg)
Thinking in rings
Michael Shalyt
Malware Research Team Leader @ Check Point
PRIVILEGE ESCALATION
![Page 2: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/2.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
![Page 3: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/3.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
![Page 4: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/4.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
![Page 5: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/5.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
IPHO 2005
![Page 6: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/6.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
IPHO 2005BSc. Physics + EE
![Page 7: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/7.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Cyber Cyber
IPHO 2005BSc. Physics + EE
![Page 8: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/8.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
IPHO 2005BSc. Physics + EE
![Page 9: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/9.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005BSc. Physics + EE
![Page 10: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/10.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005BSc. Physics + EE
MSc. Quantum Information
![Page 11: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/11.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP
![Page 12: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/12.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Matlab
Javascript
Actionscript
Mathematica
C
Scheme
Cyber Cyber
Reverse Engineering
Research TL
PythonIPHO 2005BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP
Pascal
AutoIT
![Page 13: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/13.jpg)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
Lifeinagraph.blogspot.com
ASM (13yo)
Matlab
Javascript
Actionscript
Mathematica
C
Scheme
Cyber Cyber
Reverse Engineering
Research TL
PythonIPHO 2005BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP
Pascal
AutoIT
Catapults
Humans
![Page 14: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/14.jpg)
WHAT’S A HACKER?
![Page 15: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/15.jpg)
WHAT’S A HACKER?
• People committed to circumvention of computer security.
![Page 16: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/16.jpg)
WHAT’S A HACKER?
• People committed to circumvention of computer security.
• RFC 1392: “A person who delights in having an intimate understanding of the internal workings of a system”. (1960s around MIT's Tech Model Railroad Club)
![Page 17: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/17.jpg)
WHAT’S A HACKER?
• People committed to circumvention of computer security.
• RFC 1392: “A person who delights in having an intimate understanding of the internal workings of a system”. (1960s around MIT's Tech Model Railroad Club)
• Vs. “user” (like “script kiddies”)
![Page 18: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/18.jpg)
PRIVILEGE
![Page 19: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/19.jpg)
PRIVILEGE
![Page 20: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/20.jpg)
RINGS AND GATEKEEPERS
![Page 21: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/21.jpg)
RINGS AND GATEKEEPERS
![Page 22: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/22.jpg)
RINGS AND GATEKEEPERS
![Page 23: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/23.jpg)
PRINCIPAL OF LEAST PRIVILEGE
![Page 24: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/24.jpg)
PRINCIPAL OF LEAST PRIVILEGE
• System stability.
![Page 25: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/25.jpg)
PRINCIPAL OF LEAST PRIVILEGE
• System stability.
• Security.
![Page 26: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/26.jpg)
PRINCIPAL OF LEAST PRIVILEGE
• System stability.
• Security.
• Ease of deployment.
![Page 27: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/27.jpg)
PRINCIPAL OF LEAST PRIVILEGE
• System stability.
• Security.
• Ease of deployment.
• In RL: Compartmentalization / Encapsulation.
![Page 28: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/28.jpg)
X86 RINGS
Most privileged
Least privileged
![Page 29: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/29.jpg)
VERTICAL PE - WHAT
![Page 30: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/30.jpg)
VERTICAL PE - WHAT
• User -> admin.
![Page 31: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/31.jpg)
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.
![Page 32: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/32.jpg)
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.• Javascript -> shellcode.
![Page 33: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/33.jpg)
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.• Javascript -> shellcode.• Username -> access.
![Page 34: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/34.jpg)
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.• Javascript -> shellcode.• Username -> access. • Hypervisor instance traversal.
![Page 35: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/35.jpg)
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.• Javascript -> shellcode.• Username -> access. • Hypervisor instance traversal.• Access to restricted places/documents/data.
![Page 36: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/36.jpg)
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.• Javascript -> shellcode.• Username -> access. • Hypervisor instance traversal.• Access to restricted places/documents/data.• Etc.
![Page 37: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/37.jpg)
HORIZONTAL PE - WHAT
![Page 38: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/38.jpg)
HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
![Page 39: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/39.jpg)
HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
![Page 40: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/40.jpg)
HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.
![Page 41: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/41.jpg)
HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.
• Framing someone else.
![Page 42: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/42.jpg)
HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.
• Framing someone else.
• Etc.
![Page 43: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/43.jpg)
PE – BATTLE PLAN
![Page 44: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/44.jpg)
PE – BATTLE PLAN
• You already have limited capabilities.
![Page 45: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/45.jpg)
PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).
![Page 46: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/46.jpg)
PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).
• Pass through the guard mechanism (appear as legitimate low ring-high ring interaction).
![Page 47: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/47.jpg)
PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).
• Pass through the guard mechanism (appear as legitimate low ring-high ring interaction).
• Trick the higher ring to do as you wish.
![Page 48: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/48.jpg)
VERTICAL PE - HOW
![Page 49: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/49.jpg)
VERTICAL PE - HOW
• XSS.
![Page 50: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/50.jpg)
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.
![Page 51: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/51.jpg)
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.• Driver vulnerabilities.
![Page 52: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/52.jpg)
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.• Driver vulnerabilities.• Service privileges.
![Page 53: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/53.jpg)
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.• Driver vulnerabilities.• Service privileges.• Design bug-features.
![Page 54: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/54.jpg)
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.• Driver vulnerabilities.• Service privileges.• Design bug-features.• SE.
![Page 55: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/55.jpg)
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.• Driver vulnerabilities.• Service privileges.• Design bug-features.• SE.• Etc. Etc.
![Page 56: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/56.jpg)
HORIZONTAL PE - HOW
![Page 57: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/57.jpg)
HORIZONTAL PE - HOW
• XSS.
![Page 58: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/58.jpg)
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
![Page 59: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/59.jpg)
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
![Page 60: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/60.jpg)
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
![Page 61: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/61.jpg)
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.
![Page 62: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/62.jpg)
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.
• SE.
![Page 63: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/63.jpg)
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.
• SE.
• Etc. Etc.
![Page 64: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/64.jpg)
EXAMPLES – LOOK MOM NO VULNS
![Page 65: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/65.jpg)
EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.
![Page 66: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/66.jpg)
EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.• Unprotected autorun directories.
![Page 67: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/67.jpg)
EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.• Unprotected autorun directories.• Misconfigurations.
![Page 68: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/68.jpg)
EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.• Unprotected autorun directories.• Misconfigurations.• Plain text passwords.
![Page 69: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/69.jpg)
EXAMPLE – DLL HIJACKING
![Page 70: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/70.jpg)
EXAMPLE – API EXPLOITATION
![Page 71: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/71.jpg)
EXAMPLE – API EXPLOITATION
• User -> kernel.
![Page 72: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/72.jpg)
EXAMPLE – API EXPLOITATION
• User -> kernel.• Ntdll.dll – wrapper and guard.
![Page 73: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/73.jpg)
EXAMPLE – API EXPLOITATION
• User -> kernel.• Ntdll.dll – wrapper and guard.• Wealth of info before attack.
![Page 74: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/74.jpg)
EXAMPLE – API EXPLOITATION
• User -> kernel.• Ntdll.dll – wrapper and guard.• Wealth of info before attack.• Kernel bug exploitation.
![Page 75: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/75.jpg)
EXAMPLE – API EXPLOITATION
• User -> kernel.• Ntdll.dll – wrapper and guard.• Wealth of info before attack.• Kernel bug exploitation.• Often – make kernel mode run code from user mode.
![Page 76: Intro To Privilege Elevation](https://reader031.vdocuments.mx/reader031/viewer/2022032620/55cdebcbbb61ebca048b482d/html5/thumbnails/76.jpg)
QUESTIONS?