welcome

This website uses cookies to ensure you get the best experience on our website.
Please scroll to the bottom of page to read the notice if you are coming from the European Union...

Saturday, August 29, 2015

None such

More Greek...




Google's Project Zero, which begins...

For the past couple of years I've been researching Windows elevation of privilege attacks. 
This might be escaping sandboxing or gaining system privileges.
 One of the techniques I've used multiple times is abusing the symbolic link facilities of the Windows operating system to redirect privileged code to create files or registry keys to escape the restrictive execution context. Symbolic links in themselves are not vulnerabilities, instead they're useful primitives for exploiting different classes of vulnerabilities such as resource planting or time-of-check time-of-use.

Click through that link to see examples of this abuse in action, but also information about how the underlying risks have been (or can be) mitigated.

***

 With a pull request systemd now supports a su command functional and can create privileged sessions that are fully isolated from the original session

The su command is seen as bad because what it is supposed to do is ambiguous.

 On one hand it's supposed to open a new session and change a number of execution context parameters, and on the other it's supposed to inherit a lot concepts from the originating session. Lennart Poettering's long story short: "`su` is really a broken concept.

 It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one." The replacement command provided by systemd is machinectl shell.

No comments:

Post a Comment