Battle of Windows Service: A Silver Bullet to Discover File Privilege Escalation Bugs Automatically

Conference:  BlackHat USA 2019



The presentation discusses the discovery of logical flaws in Windows10 system services and how to find low-hanging fruits in these services.
  • Logical flaws in Windows10 system services can be discovered by restricting user communication with these services and analyzing sensitive operations.
  • Low-hanging fruits are easy to find and exploit vulnerabilities in system services.
  • Case studies of vulnerabilities in Task Scheduler, Installer Service, and Windows Defender Service are presented.
  • The presenter acknowledges the help of other experts in the field and reports new vulnerabilities to NSRC.
  • The goal is to ultimately improve cybersecurity in Windows10 system services.
The presenter describes a vulnerability in Windows Defender Service where a restricted user can communicate with the system service to delete a file, even if it is in another user's folder or a system folder. By replacing the file with a hard link, the user can change the DSL permissions and prevent the file from being deleted. This illustrates the importance of finding and patching logical flaws in system services to prevent unauthorized access and manipulation of files.


System services have always been an important component of Windows 10. In recent years, there have been quite a few privilege escalation vulnerabilities in them.At present, we can effectively automate the testing of memory corruption vulnerabilities by building fuzzers, but the discovery of logical vulnerabilities still relies more on manual inspection, and automated discovery has always been the goal to achieve.File privilege escalation is an important part of those bugs, if an attacker could gain full control of any file, they are able write shellcode into things like DLLs, then a system privilege process is created. After analyzing and summarizing the characteristics of historic vulnerability, I found there is a silver bullet to discover file privilege escalation bugs, and maybe there is a way to build a system based on it, so that's what I do next.I will share my full, in-depth details on this research. In this presentation, I will start from a historical bug analysis, then share the methodology about how I start this work with minimum knowledge as a web security researcher and knowing little about windows internal.I will explain the inner working of this technique about how I analyzed Advanced Local Procedure Call (ALPC), found new attack surfaces, and did some hot patches to make process monitor a command line tool to detect sensitive operation, make them combined together in a system, which could discover file privilege escalation bugs automatically. Also, will show some advanced skills about how I exploit those vulnerabilities, bypass the security check, and play with impersonation.Finally, I will talk about 4 new vulnerabilities found in one week, which could successfully perform local privilege escalation in windows 10 1803/1809, including one arbitrary file-read bug, one arbitrary file-delete bug, and two arbitrary file DACL rewrite bugs, which could get full control of any file with system privilege.