For years, Microsoft has put a lot of effort to mitigate privilege escalation attacks (EoPs), either by protecting user (like Windows services) or kernel (via different mitigations). Most of the work has been done to prevent that unprivileged users get elevated permissions like SYSTEM (something easily reachable running as Administrator). Despite of that, new attack techniques continue appearing in the wild, which means offensive security researchers continue evolving, even at the time you are reading this… In this talk, I’m going to present a usermode design flaw that I’ve recently found, which it’s the combination of a Windows dark “”functionality”” (recently revealed by Google Project Zero guys) and an insufficient check, which allows to escalate privileges from Medium to High integrity level (or kind of) in a deterministic way (reliability of 100%). During this presentation, I’ll explain the source of the problem and I’ll show an alive demo with a full working exploit (launching a Calculator/Notepad running as Administrator from Medium IL) in the latest Windows version. The vulnerability is still present in the latest versions of Windows 10 (22H2), Windows 11 (22H2) and Windows 11 (23H2 – not released yet), which has been recently reported to Microsoft.

Speaker:

Nicolás Alejandro Economou: “I have been working for +17 years as Security Researcher and Exploit Writer writing exploits for multiple platforms, specially for Windows kernel (and related to).

Besides, I researched and presented many offensive security projects in different security conferences.”