PWN Windows: From Low to System Privilege via RASMAN Service

Windows is an operating system with a long history, which also means that it has a lot of code that has been used for many years. The code may not have been fully considered for their security when it was written. I found an attack surface called rasman (remote access connection manager) that has been hidden for a long time, at least since Windows NT4.

In this talk, I will introduce the architecture of this module in detail, and how I found 10+ vulnerabilities in this module in a short period of time. Finally, I will introduce two vulnerabilities which bypasses all current mitigations, and won the windows EOP project in Tianfu Cup 2021.

 
 

Ziming Zhang(@ezrak1e), Ant Security Light-Year Lab

Security researcher of Ant Security Light-Year Lab
Working on virtualization security and kernel security
2021 Tianfu Cup Windows project winner
2021 Q2 Microsoft Most Valuable Security Researchers
2020 Tianfu Cup paralles desktop project winner

Ziming has previously researched vulnerabilities related to virtualization software and obtained 30+cves such as qemu, virtualbox, pd, etc. In the past year, he got 10+ cve numbers from Microsoft, many of which are exploitable.

Previous
Previous

Project TEMPA - Demystifying Tesla's Bluetooth Passive Entry System

Next
Next

Bypassing Falco: Cluster Compromise without Tripping the SOC