matu3ba
commented
9 months ago mentioned in https://media.ccc.de/v/37c3-11811-writing_secure_software questions at 43:00. Getting into the mentioned methods would be the next thing.
Open matu3ba opened 9 months ago
matu3ba
commented
9 months ago mentioned in https://media.ccc.de/v/37c3-11811-writing_secure_software questions at 43:00. Getting into the mentioned methods would be the next thing.
matu3ba
commented
9 months ago chrome win32k mitigation design influence https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html. chrome code overview: https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-one-line.html That looks complex, but should be a nice biger example code to tackle and looks fairly comparable to what a CI would do (remote code execution as a service but no CVE outside of that). Brief overview also at https://www.chromium.org/Home/chromium-security/articles/chrome-sandbox-diagnostics-for-windows/.
Main motivation https://wiki.sei.cmu.edu/confluence/display/c/WIN02-C.+Restrict+privileges+when+spawning+child+processes
https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens https://github.com/hatRiot/token-priv https://securitytimes.medium.com/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication
Because security must be complex for security products? https://learn.microsoft.com/en-us/windows/win32/secauthz/securable-objects https://learn.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens
Also briefly mention antipattern of cleartext user password logins regarding information persistence and/or how to work around that with deleting and creating new user with random password.
And briefly antipatterns/pick your poison regarding https://www.tevora.com/threat-blog/about-windows-process-thread-tokens-and-pass-the-hash/. Must understand if there is no better way or simply not mentioned here.
TODOs