Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Finds Simple Way of Backdooring Windows PCs and Nobody Notices for Ten Months (zdnet.com)

Posted by msmash on from the security-woes dept.

A security researcher from Colombia has found a way of gaining admin rights and boot persistence on Windows PCs that's simple to execute and hard to stop -- all the features that hackers and malware authors are looking for from an exploitation technique. From a report: What's more surprising, is that the technique was first detailed way back in December 2017, but despite its numerous benefits and ease of exploitation, it has not received either media coverage nor has it been seen employed in malware campaigns. Discovered by Sebastian Castro, a security researcher for CSL, the technique targets one of the parameters of Windows user accounts known as the Relative Identifier (RID). The RID is a code added at the end of account security identifiers (SIDs) that describes that user's permissions group. There are several RIDs available, but the most common ones are 501 for the standard guest account, and 500 for admin accounts.

Castro, with help from CSL CEO Pedro Garcia, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group. The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password. But in cases where a hacker has a foothold on a system -- via either malware or by brute-forcing an account with a weak password -- the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.

11 of 94 comments (clear)

  1. Cite please? by NewtonsLaw · · Score: 4, Interesting

    Can we have a link to material that might verify this claim?

    1. Re:Cite please? by Anonymous Coward · · Score: 5, Interesting

      There are so many errors in TFS that it is hard to say. First, a RID does not describe the user's groups. A RID is simply an offset applied to the computer SID that is incremented by one for each new user account. So that's wrong. Yes, the first RID created is for the administrator account and it is indeed *computer SID*-500. But that doesn't equate to permission groups. Next, it says that you can do this with an unprivileged user. You can't. You have to have admin in order to make the change to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList and associated areas where you would be able to make this change. So if you already have admin, there isn't much point in this.

    2. Re:Cite please? by Gravis+Zero · · Score: 3, Informative

      Can we have a link to material that might verify this claim?

      A search of "RID Hijacking" revealed (among other things) a commit to metaploit on Feb 20. (likely merged in from a fork)

      Git commit dates can be faked so there is also an announcement from @BlackHatEvents about it from June 24.

      I'm quite inclined to believe their claim.

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:Cite please? by hwihyw · · Score: 4, Interesting

      https://www.youtube.com/watch?...

    4. Re:Cite please? by Anonymous Coward · · Score: 2, Funny

      Linux has a similarly catastrophic security hole :

      Once you get root access, edit /etc/passwd and change the uid for your username to 0.
      Persistent root access for your unprivileged user!

    5. Re:Cite please? by LesFerg · · Score: 4, Insightful

      Precisely.

      "Hey everyone I have a Windows backdoor!!! Just give me admin access and let me edit your registry file."

      Where is the news?

      --
      If I had a DeLorean... I would probably only drive it from time to time.
    6. Re:Cite please? by The+MAZZTer · · Score: 2

      "It rather involved being on the other side of this airtight hatchway."

  2. If you can add someone to the administrator group. by Kaenneth · · Score: 5, Funny

    "Oh yes, I thought of something," panted Ford.

    Arthur looked up expectantly.

    "But unfortunately," continued Ford, "it rather involved being on the other side of this airtight hatchway."

  3. Re:Remote Access by jbmartin6 · · Score: 2

    You would need admin access to make the change in the first place, this is just a persistence mechanism. There are so many others it is no surprise this one isn't seeing any use.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  4. Re:Remote Access by hey! · · Score: 2

    I think you're missing the point of the back door. Sure, it doesn't enable the attacker to anything he couldn't otherwise do right now, but you don't necessarily want to do anything right now. This could be because the machine doesn't have the information you want to steal yet, or because you want to interfere with something the user may be involved with in the future (e.g., conducting a military or political campaign).

    The problem is just because you can get in now doesn't guarantee that the system won't get patched later, or passwords updated, or malware files scanned. Any kind of vulnerability you leave behind could simplify your job later.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  5. Re:What I would really like to see by viperidaenz · · Score: 2

    "You're too stupid to be allowed to run windows, so here's something that's harder to use and easier to fuck up"
    Good one.