On the afternoon of October 18th, according to media reports in Taiwan, Colombian security researchers found that it is easy to implement RID kidnapping vulnerability on Windows, allowing hackers to obtain administrator control of the victim computer with someone else's account. However, this exists at least 10 The months of vulnerabilities have not been patched.
Security company CSL CEO Pedro Garcia discovered the RID hijiacking vulnerability in December last year. RID (relative identifier) is the account number that is allowed to be described by the computer or domain after adding the user account security identifier (SID). A common RID is 500 for a built-in administrator account or 501 for a guest.
Garcia wrote a Metasploit module for the test attack. He found that by simply transmitting a meterpreter session to a Windows PC, the Windows machine code can be overwritten, and the RID under the user account can be modified and another set of RIDs can be created for the other account group.
Researchers say that although this method can't trigger remote code execution or infection, once a hacker can use a malicious program or brute force to crack a computer account password, the hacker can give administrator privileges to the original low-privileged user account, thus becoming Windows. The back door on the PC.
Since the machine code is permanent, any tampering is valid until it is fixed. In addition, this attack method can be successfully tested on Windows XP, Server 2003, Windows 8.1, and Windows 10 systems.
Garcia pointed out that this approach completely utilizes system resources and does not introduce external malware, so it does not cause system warnings. It can only be discovered if there is an inconsistency in the security account manager (SAM) when checking the registry.
Although this is a gift that falls from the sky for hackers, it seems that there has not been any news of mining and attack, but he believes that it is not only his company that finds the loophole. The researchers told ZDNet that they had notified Microsoft after the discovery of the vulnerability, but did not receive a response, of course, Microsoft has not patched the vulnerability.