A Link to the Past: Abusing Symbolic Links on Windows (Speaker - James Forshaw) - Remote null Delhi Meet 25 April 2015 Combined null/OWASP Delhi Monthly Meet - 25th April, 2015
Speaker - James Forshaw
Bio - James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he has numerous disclosures in a wide range of products from web browsers to virtual machine breakouts as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB
Abstract: The dangers of symbolic links are well known on Unix-like operating systems. Through their misuse a privilege process can be tricked into writing files to a location under the attackers control leading to privilege escalation or disclosing sensitive information. On Windows there is comparatively little comparable research into these sorts of vulnerabilities even though Windows NT has supported symbolic links in various forms since its inception with version 3.1. To make matters worse the functionality is poorly documented making mitigation very difficult for Windows developers in both user and kernel mode applications. This presentation will describe the potential for abusing the various types of symbolic links on the Windows operating system to break out of application sandboxes, gain administrator privileges or disclose sensitive information. Examples of vulnerabilities will be presented to demonstrate some of the attacks, and to allow attendees to better identify other similar issues within Windows and third party applications. It will also describe a few novel techniques for winning TOCTOU races and implementing filename level symbolic links without requiring administrator privileges on current versions of Windows.
null Delhi and OWASP Delhi chapter team
Starts at Saturday April 25 2015, 04:00 PM. The sessions runs for about 1 hour.