exe ready to
use. Not all vulnerabilities in access control are this easy to exploit, but once you understand
the concepts, you??™ll quickly understand the path to privilege escalation, even if
you don??™t yet know how to take control of execution via a buffer overrun.
You??™ll Find Tons of Security Vulnerabilities
It seems like most large products that have a component running at an elevated privilege
level are vulnerable to something in this chapter. A routine audit of a class of software might
find hundreds of elevation of privilege vulnerabilities. The deeper you go into this area, the
more amazed you??™ll be at the sheer number of vulnerabilities waiting to be found.
How Windows Access Control Works
To fully understand the attack process described later in the chapter, it??™s important to
first understand how Windows Access Control works. This introductory section is large
because access control is such a rich topic. But if you stick with it and fully understand
each part of this, it will pay off with a deep understanding of this greatly misunderstood
topic, allowing you to find more and more elaborate vulnerabilities.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
388
PART IV
This section will be a walkthrough of the four key foundational components you??™ll
need to understand to attack Windows Access Control: the security identifier (SID), the
access token, the security descriptor (SD), and the access check.
Pages:
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702