Author Topic: Backdooring Windows PC - RID Hijacking  (Read 841 times)

0 Members and 1 Guest are viewing this topic.

Offline K43

  • Newbie
  • *
  • Posts: 1
Backdooring Windows PC - RID Hijacking
« on: October 18, 2018, 04:56:50 PM »
I came across the below article today (link below). It appears Microsoft is guilty, yet again, of ignoring their user base. The security flaw is well documented and appears to have been reported through proper channels.

“Discovered by Sebastián Castro, a security researcher for CSL, the technique targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).”

“Castro, with help from CSL CEO Pedro García, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group.”

“...in cases where a hacker has a foothold on a system --via either malware or by brute-forcing an account with a weak password-- the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.”

Since Microsoft is apparently turning a blind eye to this threat, I wanted to reach out to Avast for consideration of a possible remedy. Since Avast Cleanup already has a registry scan function, would it be reasonable to add a little extra functionality to scan for inconsistent RIDs?

“It is possible to find out if a computer has been a victim of RID hijacking by looking inside the [Windows] registry and checking for inconsistencies on the SAM [Security Account Manager]," Castro added”

Thanks for looking in to this!

Regards

Full article:
https://www.zdnet.com/article/researcher-finds-simple-way-of-backdooring-windows-pcs-and-nobody-notices-for-ten-months/
« Last Edit: October 18, 2018, 05:03:39 PM by K43 »