Exploit takes a long time to cook Windows, but gives hackers a menu of evil options.
Shmoocon Foxglove Security bod Stephen Breen has strung together dusty unpatched Windows vulnerabilities to gain local system-level access on Windows versions up to 8.1.
The unholy zero-day concoction, reported to Microsoft in September and still unpatched, is a reliable way of p0wning Windows for attackers that have managed to pop user machines.
Breen released exploit code for his attack dubbed Hot Potato following his talk at the Shmoocon conference in Washington over the weekend.
“Hot Potato takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay -\- specifically HTTP-SMB relay – and NBNS spoofing,” Breen says.
“Using this technique, we can elevate our privilege on a Windows workstation from the lowest levels to NT Authority/System – the highest level of privilege available on a Windows machine.
“This is important because many organisations unfortunately rely on Windows account privileges to protect their corporate network.”
The work borrows techniques disclosed by the Google Project Zero hack house.
Attackers who use the technique after first gaining low-level access – a common situation for black hats and penetration testers – can begin lateral network movement from where other hosts can be hosed.
“Gaining high privilege access on a host is often a critical step in a penetration test, and is usually performed in an ad-hoc manner as there are no known public exploits or techniques to do so reliably,” Breen says.
Microsoft has known of the vulnerable elements in the attack since the turn of the century, but legacy and backwards compatibility has made patching difficult.
Attackers need patience when running the exploit thanks to some flaky Windows services.
In a demonstration Breen shows how Windows 7 can be reliably hosed using the potato.exe binary exploiting Windows Defender’s update mechanism.
It is also successful on Windows Server 2008 and 2012, but the exploit can take an entire day to fire on the latter thanks to changes in the updating process.
Breen’s work includes NetBIOS Name Service spoofing attacks across network broadcast domains which has been brewed into a module for the the popular Responder tool. He suggests it may be possible to launch those attacks over the web.