More Greek...
Google's Project Zero, which begins...
For the past couple of years I've been researching Windows elevation of privilege attacks.
This might be escaping sandboxing or gaining system privileges.
One of the techniques I've used multiple times is abusing the symbolic link facilities of the Windows operating system to redirect privileged code to create files or registry keys to escape the restrictive execution context. Symbolic links in themselves are not vulnerabilities, instead they're useful primitives for exploiting different classes of vulnerabilities such as resource planting or time-of-check time-of-use.
Click through that link to see examples of this abuse in action, but also information about how the underlying risks have been (or can be) mitigated.
***
With a pull request systemd now supports a su command functional and can create privileged sessions that are fully isolated from the original session.
The su command is seen as bad because what it is supposed to do is ambiguous.
On one hand it's supposed to open a new session and change a number of execution context parameters, and on the other it's supposed to inherit a lot concepts from the originating session. Lennart Poettering's long story short: "`su` is really a broken concept.
It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one." The replacement command provided by systemd is machinectl shell.
No comments:
Post a Comment