- [DeepSec 2015]50 Shades of WAF
- [DeepSec 2015] File Format Fuzzing in Android – Giving a Stagefright to the Android Installer
- [DeepSec 2015]How to Break XML Encryption – Automatically
- [DeepSec 2015] Hacking Cookies in Modern Web Applications and Browsers
- [DeepSec 2015] Can societies manage the SIGINT monster?
- [LHS Microcast] DeepSec 2015
- [LHS Microcast] Interview w/ Jen Ellis
- Taking out the Eurotrash
- All good things must come to an end
- [DeepSec 2014] Advanced Powershell Threat: Lethal Client Side Attacks using Powershell
- RT @CloudSecPodcast: Episode 114 "Minimal Viable Secure Product (MVSP) - Is That a Thing?" of Cloud Security Podcast where hosts @anton_chu… 11 hours ago
- Don't forget to tune in to episode 2 of Might & Mercy #13thage #TTRPG youtu.be/2QUVlHQQ1x0 Would love to hear your feedback. 2 weeks ago
- That thing we did, yeah episode 1 is out now. Watch "Might & Mercy - S1E1 - When Trouble finds you…" on YouTube… twitter.com/i/web/status/1… 3 weeks ago
- RT @FIRSTdotOrg: It's #FIRSTFriday and there's a new #FIRSTImpressions episode to stream! This interview features #DNSAbuse #SIG co-chair,… 3 weeks ago
- Some music to see you through the dark times… c22 Sessions 2023 Vol.1 mixcloud.com/C22DnB/c22-ses… #DnB #djmixes 1 month ago
- #Soon Get ready to watch "Might & Mercy - D&D Campaign - Trailer" on YouTube youtu.be/TqNyc055fyU 3 months ago
The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.
"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."
Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!
I think its because the patch fixes the issue of going from a network service to SYSTEM via priv escalation.
incognito takes you from SYSTEM to another token.
but that’s just from reading the unclear advisories.
Chris, great work on this. i hadn’t had a chance to verify this, but i had mixed feelings after seeing the ‘token kidnapping fixed’ advisories.
My understanding of token kidnapping has changed since the release of MS09-012. I now understand that incognito really just implements token /impersonation/, not token /kidnapping/. As you mentioned, SYSTEM -> arbitrary_user token impersonation is expected behavior.
I’m not clear on whether the user account option ‘account is sensitive and cannot be delegated’ in Active Directory is of any use in protecting against SYSTEM -> domain user impersonation, or, similarly if the computer account option ‘Trust computer for delegation’ is part of the issue.
The wording here: http://technet.microsoft.com/en-us/library/cc961980.aspx — says this:
When you trust a computer for delegation, you enable delegation for all services that run under the Local System account on the computer. If an unwary administrator installs an untrusted service on the computer and configures it to run as Local System, it too can access network resources while impersonating other users. A better practice is to configure services that use delegation to run under their own domain user accounts managed by domain administrators.
Ideas? I think I just need dig a little deeper into the windows security model and understand impersonation better.
Things in the initial Microsoft release documents where a little vague on exactly what was fixed. I managed to find some references to the original research which tends to lean more towards SQL server and IIS issues. In particular they mention the MSDTC service and from the patch information it seems that this is the main area patched. At least 75% of the patched files contain the word DTC. So take it as it comes. I’ll have to find the link and post it as soon as I have the chance.