Yesterday, the Microsoft Security Response Center announced their Most Valuable Security Researchers for 2020 (MVRs). This honour, awarded annually by Microsoft during Black Hat USA, is a part of MSRC’s Researcher Recognition program, and recognizes the top security researchers globally based upon the volume, accuracy, and impact of their vulnerability reports to Microsoft over the previous year. Among those named were NCC Group’s Edward Torkington, Phillip Langlois, and Dirk-Jan Mollema.
From Edward Torkington and Phillip Langlois, we’d direct readers to their November 2019 blog post on their research into Windows Component Object Model (COM) services, “CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service” which outlines their findings on privilege escalation via COM local services via two novel vulnerabilities. The first vulnerability (CVE-2019-1405) is a logic error in a COM service and allows local unprivileged users to execute arbitrary commands as a
LOCAL SERVICE user. The second vulnerability (CVE-2019-1322) is a simple service misconfiguration that allows any user in the local
SERVICE group to reconfigure a service that executes as
SYSTEM. Together, these vulnerabilities enabled arbitrary command execution as
SYSTEM by an unprivileged local user on a default installation of Windows 10. These issues were later discussed in their April 2020 blog post, “CVE-2019-1381 and CVE-2020-0859 – How Misleading Documentation Led to a Broken Patch for a Windows Arbitrary File Disclosure Vulnerability” in which they discuss Microsoft’s initial attempt to patch the vulnerability and what it can teach us about the difficulty in successfully fixing this type of bug.
From Dirk-Jan Mollema, we’d direct readers to his upcoming presentation at Black Hat Asia 2020, “Walking Your Dog in Multiple Forests – Breaking AD Trust Boundaries through Kerberos Vulnerabilities“. This research demonstrated a flaw in how Active Directory forest trusts operate and how this can be combined with a vulnerability in the Windows implementation of Kerberos to take over systems in a different AD forest, from a compromised trusted forest, accompanied by a proof-of-concept and a demonstration of abusing the vulnerability. Dirk-Jan was also awarded an MSRC Most Valuable Security Researcher award in 2019. More details about his earlier work can be found in his June 2019 blog post, “Syncing yourself to Global Administrator in Azure Active Directory” which discusses a novel vulnerability in Azure AD Connect, allowing anyone with account creation privileges in the on-premise Active Directory directory to modify the password of any cloud-only account in Azure AD. This finding was particularly impactful because common Azure account configuration patterns meant that often, this vulnerability could thus enable an attacker to take over the highest admin accounts (Global Administrator) in Azure AD. Further detail about this and Dirk-Jan’s other Azure AD research is also available in his BlueHat Seattle 2019 talk recording, “I’m in your cloud: A year of hacking Azure AD,” and on his website.
Congratulations to Edward Torkington, Phillip Langlois, and Dirk-Jan Mollema, as well as all of the MSRC Most Valuable Security Researchers for 2020!