Published in News

A simple Windows hack is unfixed a year later

by on18 October 2018

All a hacker could want

A simple Windows security hack which was discovered a year ago is still unpatched.

Discovered by Sebastián Castro, a security researcher for CSL, the technique targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).

It delivers the hacker admin rights and boot persistence on Windows PCs that's simple to execute and hard to stop.

For some reason, though, the flaw has not been patched and it has not received either media coverage. Fortunately, the hackers have not spotted it either, and it has not been part of any malware campaigns.

The RID is a code added at the end of account security identifiers (SIDs) that describes that user's permissions group. There are several RIDs available, but the most common ones are 501 for the standard guest account, and 500 for admin accounts.

Castro, with help from CSL CEO Pedro García, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group.

A hacker cannot remotely infect a computer unless that computer has been left exposed on the Internet without a password.

But it helps when a hacker has a foothold on a system. The hacker can give admin permissions to a compromised low-level account and gain a permanent backdoor with full SYSTEM access on a Windows PC.

Since registry keys are also boot persistent, any modifications made to an account's RID remain permanent, or until fixed.

The attack works on Windows versions going from XP to 10 and from Server 2003 to Server 2016, although even older versions should be vulnerable.

"We reached out Microsoft as soon as the module was developed, but we did not receive any response from them", Castro said. "And no, it is not already patched."

Last modified on 18 October 2018
Rate this item
(0 votes)

Read more about: