[Windows 10 privilege escalation research by infosec noob]

I figured it's time to start poking at security in Win10.   Working with local only standard accounts vs admin accounts.

Full disclosure: This is a hobby, I don't claim bug bounties, I don't want credit for anything, I value my privacy, however, the infosec community I've found recently is very inclusive and shares, so here's my noob evaluation.

 

The Administrator account is hidden by default, but a user with admin priveliges can activate it from an elevated command prompt with 

net user administrator /active:yes

The default password is blank.

 

A user with standard access has basically read-only access to the registry, critical folders, and command prompt.

 

(my favorite find on Win7 machines was appending an executable to the key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit")

 

This key still exists, but it's read only to standard users.

 

However, the task manager does have some limited access which carries over to services.

Checking services that are set to "Automatic (delayed start)" yields a handful that grant "Start" access to the standard account  The majority are invoked by svchost.exe so we're gonna ignore them assuming they're locked down.  

 

The one that's interesting is sppsvc. It's got an AES key embedded and tracing DLL calls may yield a more  simple attack vector.  

 

Finding an executable-on-boot path (via weak folder permissions) and replacing the service call could be fun!

 

This can only work on say a Staples demo PC or high school PC with a lacking security policy, but if anyone has any feedback, or can take the money & run, go for it.

 

Edit: all testing done on latest fast track build 10586 and Windows was happy to install week-old updates under standard account

 

Edit #2: best post I've found so far on Windows Privilege Escalation.

http://fuzzysecurity.com/tutorials/16.html 

[How to find the unique ID that Microsoft has assigned to you]

Why I worry so much about the Microsoft Account/Windows10 tie-in. (or, a morose "told you so" moment)

 

Cross-site scripting vulnerability found in Microsoft Account login site, disclosed after it was patched fortunately - as recently as September 22 of this year.

 

 

If MS can't secure the central component of their business plan and can't audit for simple, old vulnerabilities, should you trust them with your data?

Sure the members of this forum have (hopefully) either used Windows 10 with a local account only, or created their own "anti-social" Windows 10 install because we're all savvy enough to use the advice and research shared by the good folks here.  But the number of friends, family and coworkers who have willingly or unwillingly upgraded scares me.  Most of them have more to lose than I do.

 

It's not a matter of "Evil M$ wants to spy on me!" that concerns me.  It's the naive, irresponsible attitude that MS thinks they can anonymize your data and it will never leak.

 

The tweet posted above is just the tip of the iceberg - a benevolent security researcher who alerted MS.  A bigger vulnerabilty that leads to a massive leak will happen eventually.  It won't be from the "Chinese hackers" or "Russian hackers"  It will be one of the following vectors:

• A simple vulnerability in the realm of XSS
• An MS employee with elevated access to the "cloud data" will be comprimised by trojan/keylogger
• The data that MS now has to share with the gov't (thanks to CISA and UN agreement) will not be properly sanitized and an entry level IT specialist who doesn't get paid enough to care, does something careless with the data.
• The CDN account at one of the many providers Win10 is chatty with will be compromised and captured.

At some point, with thousands of customer accounts reported compromised by various vendors each day, is it possible this leak will cause your credit and the money you have in any financial institution to come into question and the financial system will collapse?  Have a nice day!

 

/goes off grid with hatchet, flint & steel, and a new tinfoil hat  (outgrown the old one)

 

[Looks to me like Win 10 will top out at about 10% adoption]

Edit: forgot to add that if you check the Microsoft Store, the top free app with in-app purchases has about 127k reviews.  The top paid app has less than 10k.  Granted reviews aren't indicative of actual sales but that's a huge discrepancy from android and iOS apps.

 

Who's with me for developing a minecraft-style racing casino game with call of duty style side missions and castle-building overworlds!?!?

 

Windows 10 is like a mischievous pebble in my shoe.  I can't remove it, so I just keep wearing it. 

[Looks to me like Win 10 will top out at about 10% adoption]

This week's earning report from Mr. Satya "got my groove back" Nadella claims Windows 10 adoption leaped from 75 million devices in Aug 2015 to 110 million to-date.  That's 35 million devices.  It's possible, I understand as a corporate talking head you need to be a spinster, no harm in that.

 

But down to dollar & cents, a company that 'restructures' earnings reports, relies on loss-leading Windows 10 to upsell an ethereal "cloud" service is starting to smell fishy.  (toss the books on the fire until you can cash out on your shares and bounce)

 

Why does the URL at USA today show "Microsoft-Earnings-Miss" yet preach otherwise?

http://www.usatoday.com/story/tech/2015/10/22/microsoft-earnings-miss/74407358/

 

 

From today's NYTimes reality post:  

http://www.nytimes.com/2015/10/23/technology/microsoft-earnings.html?_r=0

• The revenue Microsoft gets when it sells copies of Windows to PC makers fell 6 percent
• During the quarter, Microsoft’s revenue from its Surface devices fell to $672 million, a steep drop from $908 million a year ago.
• A more jarring decline was the 54 percent drop in revenue, when the impact of foreign currency fluctuations is excluded, from its mobile phone business.

 

Intuit has bailed on Windows 10 and there's a lesson to be learned here:

http://finance.yahoo.com/news/outrage-over-popular-app-highlights-234328495.html

 

 "the lion's share of mobile app developers either ignore Windows Phone completely, or else end up neglecting it once they realize that the return on investment just isn't worth it — just as Intuit found. "

 

"And so, we see Microsoft's dilemma in minature: There just aren't a lot of reasons for developers to make Windows Phone apps or Windows 10 apps. And without those apps, it can't sell more Windows Phones. The vicious cycle marches on. "

 

 

Yet in the world of perception-dictates-reality, MSFT has been blowing up.

Since CEO Satya Nadella took over for Steve Ballmer in February 2014, Microsoft stock has risen from $35 and hit a post-1990s high of $50 a year ago. It closed up 1.7% at $48.03.

 

/me scurries back to the garage to continue working on my rocket ship to another planet

 

[Windows 10 - Deeper Impressions]

I don't see Windows 10 giving Microsoft a path to the handheld device market, any more than Windows 8 did. Every device and OS the company has made for mobile has struggled and I'd be curious to learn how Win10 might change that. As far as I'm concerned, they're needlessly wrecking the Windows experience for their most loyal customers for the pie-in-the-sky of cellphone users who've never shown any great inclination to buy Microsoft.

--JorgeA

 

This is the piece of the puzzle that just doesn't fit.  Digging around for answers, I started to fly into the "CLOUD"!!! and once I reached an altitude high enough to stop smelling all the dung spewed by marketing folks, I began to choke and gasp for air, then I escaped back out and came up with this -- WARNING: this could be based in reality or it could be tabloid-style FUD.

 

The Windows mobile market share is dreadful, surely they don't think they can change that and convert complacent iPhone/Android users by making them pay for a new phone when theirs are already FREE (so they think) and subsidized by the carrier?  Haven't cared to look, but all we've seen for the new Lumias is a retail price tag, no word on carriers that will be supplying it.  In conventional business, campaigns with loss-leaders to upsell later are commonplace.  But can MS really afford to have so many loss leaders in recent years Xbox, Windows 10, now phones?)

 

Just as they want Windows 10 on all desktops, perhaps they want Windows 10 on all phones - Lumias and everything else?

 

Instead of only pitching very affordable low- and mid-range devices that come with some impressive software bundles, the company is apparently also thinking about taking over existing Android devices. 

 

It appears Microsoft has found a way to install Windows 10 on Android handsets

http://bgr.com/2015/03/18/windows-10-rom-for-android/

 

You read that correctly.  Currently there is only 1 model of phone - the Xiaomi Mi4 in China where you can re-flash Android and install MS's custom ROM.  So what, right?  That's just 1 phone, they can't possibly develop drivers for all the different chipsets that Samsung and all other Android phone manufacturers use, right?  They'd have to be willing to shell out a boatload of cash for cooperation, or have some pretty serious leverage against Samsung.

 

Microsoft vs Samsung Patent settlement

 

Microsoft was getting $5 [royalty] per Android handset sold by phone maker HTC under a patent agreement, and Microsoft was looking for up to $12.50 per phone from other handset makers.

To apply the $5 price to Samsung, the Korean company could be paying Microsoft about $1.6 billion per year, based on Samsung's sales of 318 million smartphones in 2014.

   

Samsung said it had agreed in 2011 to pay Microsoft royalties in exchange for a patent license covering phones that ran Google Inc's Android operating system. Samsung also agreed to develop Windows phones and share confidential business information with Microsoft, according to court filings.

http://www.reuters.com/article/2015/02/09/us-microsoft-samsung-elec-settlement-idUSKBN0LD2LA20150209

 

Assuming MS is now in possession of a multi-billion dollar royalty carrot over Samsung and now privy to the confidential business information of Samsung (presuming hardware drivers, etc) the question is what delivery method are they going to use to start "upgrading" Android phones to Windows 10 with custom ROM's?

 

Microsoft Dialer for Android said to replace your phone app, coming later this year

http://www.androidauthority.com/microsoft-dialer-for-android-said-to-replace-your-phone-app-coming-later-this-year-649180/

 

 

The writing's on the wall!  Resistance is futile!  Time to stop worrying and learn to love the "bomb"!

Stop fighting and just join!  We need to develop some more Mahjong clones, Bejeweled clones, FPS clones, Angry BIrds clones, tower defense clones, etc just like the top-earning apps in the Windows Store!  Join and copy your way to success and profit!!!

One of us!  One of us!

[Official - Windows 10 Worst Crap Ever!]

...the fact that so much is hidden in the new agreements for installing Windows 10...I wouldn't put it past Microsoft to hide the fact that you forfeit your old licence when you upgrade to Windows 10.

 

I already know that this isn't the case because of the computers that I have reinstated to the old licences....but it doesn't hurt to speculate on what will Microsoft do next and what are they really capable of....

 

I wouldn't put this past them either, but the downgrade rights updated for Windows 10 are here:

 

https://www.microsoft.com/en-us/Licensing/learn-more/brief-downgrade-rights.aspx

 

In short:  If you buy a new PC (or license for custom-built PC) with Windows 10 Home, you're stuck.

Every other edition grants downgrade rights to Win7 & Win8/8.1  You just have to buy or supply the install media.

You can switch among OS's as much as you want as long as you only have 1 active install at any given time.  (Excluding software assurance, but that's another whole bag)

 

Functionally, the 30 day timer is just the window where you can revert back to a previous OS with all your data intact.  You can wipe Win10 and clean install 7/8 and be in compliance.  You may have to go through the special activation challenge/response process but that's not that bad really.

 

With build 10565 they added the ability to activate the OS using Win7/8/8.1 keys.  To test I did a clean install of 10565 on a new hard drive so the "entitlement" wasn't present.  Plugged in my Win7 key and it activated just fine.

 

Progress!

[How to find the unique ID that Microsoft has assigned to you]

It appears they're catering to Joe Consumer by mimicking Apple in some regards and running around like a fox in a hen house, stealing all the data while you pay no attention to the man behind the curtain.

 

Both companies' offerings are functioning as they have specified so the only things left to improve are fonts, menus and emojis for christsakes.

 

Apple releases flat menus and new fonts in Yosemite -> Microsoft releases flat menus and new fonts in Windows 10

Apple releases new emoji in iOS 9 -> Microsoft releases new emoji in Windows 10

 

I've listened to headline news on the net and on radio news/talk shows where grown men are excited about new SMILEY FACES as much as they are about cars/sports/new power tools?!!!?

 

They're just smiley faces!  

Reported for Apple's release: "you’ll see a ton of new emoji on the keyboard including taco, unicorn, a stop hand, turkey, burrito and block of cheese."  A block of cheese!

 

Reported for Microsoft's release (Forbes no less!): "Microsoft has its mojo back. Under Satya Nadella the company is now radical, cool and determined to take risks. Apparently even with its emoji…While it may offend some, the middle finger emoji is at least racially diverse and it is included in five new Windows 10 emoji skin tone options."

 

I'm saving my money so I can buy the next ticket off this planet.

[How to find the unique ID that Microsoft has assigned to you]

LetsWindows10, you're anticipating a new kind of identity theft?

 

It seems careless and ripe for exploitation.  In the MS profile, there's a section for Money & Gift Cards (see screenshot above) for Microsoft Stores and Apps.  Wonder if it saves credit cards for "fast checkout" and how long it will take someone to compromise?

 

A system is only as secure as its weakest link.  Plain text is weak.  There's a whole site dedicated to it http://plaintextoffenders.com

 

From Krebs on Security regarding the Experian data leak (cleverly reported as a T-Mobile data leak in the media because no one needs to know it was actually the largest credit check firm in the world involved or they've never heard of Experian unless they've applied for a mortgage)

 

The same source demonstrated how modifying just one or two numbers at the tail end of that link revealed requests for access to networked file shares from across a range of Experian’s business units. The requests included specific names of network shares, usernames, userIDs, and LanIDs, as well as email addresses, phone numbers of Experian personnel requesting and approving the changes.

 

It's disconcerting at the least whenever a number is assigned to a human being.  I'm well aware of unique keys in databases, and that's potentially all this is, but it should not by any means be plain text and accessible via web from any unauthenticated browser.  I know someone who just searched for OneDrive screenshots and was able to pull up profile photos for the people who posted them.

 

Most of this rant is wild speculation and...well, just a rant, but there are real-world examples of this practice being a Bad Idea^TM

 

Leave a door open for long enough and you'll start to get uninvited guests.

[Another reason why the IoT may not be that good an idea ...]

 

ralcool, on 10 Oct 2015 - 7:16 PM, said:

 

I'm waiting for the f'kin genius who invents a wireless light bulb that texts me when its blown. Ya wouldn't know otherwise.

 

 

 

 

Oh light bulbs are already available in WiFi and Bluetooth flavors.  Search "wifi light bulb" on Amazon - at least 22 hits available for purchase - get yours NAOW! Don't you know they're "SMART"!1!1oneone  

 

 (insert wacky arms inflatable tube man)

[How to find the unique ID that Microsoft has assigned to you]

Thanks to the blog post linked below where it was discovered that your unique ID was being passed to MS Cloud services in plain text, I've found the same unique ID located in the Windows 10 registry.

 

http://annoyedmicrosoftuser.blogspot.com/2015/10/microsoft-stop-sending-user-identifiers.html

 

The same ID passed in plain text to the cloud is located in the Windows 10 registry under:

HKLM\Software\Microsoft\Windows\CurrentVersion\Census\MSACIDs

 

 

 

The above screenshot is from Window 10 build 10240.  I'll be updating OS build to confirm it persists across builds.  It was found while logged into Windows 10 with my Microsoft account - not a local account, so YMMV.  

 

Originally I used the info in that blog post to verify his results under Windows 7 and IE11.  I logged into my Microsoft account and found the CID with Developer Tools (F12) on the Network tab.  (The CID is "yellowed-out" in all screenshots)

 

Notice at the top right of the screenshot how Microsoft has conveniently recorded information about every PC I've used to test Windows 10.

 

Stopped capturing network data, closed & reopened IE, started recording network data again and logged into OneDrive to find the same CID.

 

 

 

 

This information persists across hardware, it is not an "anonymous identifier."  It is directly linked to your MS account, in plain text, for the majority of Windows 10 users who do not use local accounts.

I have Windows 10 and Windows 7 on separate physical hard drives and I physically swapped them out to test this. 

 

What does this mean to the average user?  Probably not much yet, but I'm sure the blackhats are already on the case.

 

Should we get CID tattoos now or later?  One of us!  One of us!

[Windows 10 - Deeper Impressions]

 

"Will they stop at the US borders?", is the gasoline I'd like to add to the fire…

 

 

This really is a fascinating realm of legal hell that I predict Microsoft is going to find themselves sinking into and burning up.  (I am not a lawyer)

We've seen the EU with their stricter anti-monopoly laws strong-arm Microsoft into releasing a special version of Windows - this is why they have Windows N Edition as well as their extended support contract for Windows XP (albeit at a hefty fee).  

Similarly South Korea litigated their way to force the stripped & customized Windows KN Edition.  Their successes at enforcing "follow our local laws or pay fines or get out" could pave the way for other countries to take action under their privacy laws that the US gov't is too corrupt and incompetent to pursue.  

 

There are now VERY tough laws protecting privacy in the EU, China and Brazil.  Collecting private data in Brazil is constitutionally illegal!

Just as a class-action lawsuit in the US was inevitable due to the forced downloads on metered fee connections, I predict a nasty storm of legal trouble coming straight for MS from outside the US.  Here's hoping that this leads to a NEW edition of Windows 10 that is stripped of the data collection mechanisms so we can ease up on the myriad of customizations required to restrain this beast.

 

MS:  "But we don't collect private data, silly!"

Prove it and provide a way for us or a competent and independent 3rd party to examine the data being sent instead of trusting your word alone. Hopefully this capability will be available after the storm, but unlikely.

 

Quote from a decent article on data collection outside the US

 http://www.insidecounsel.com/2012/01/01/the-challenges-of-collecting-data-outside-the-us?page=2

[...]counsel should bear these tips in mind when trying to mine foreign data. It’s critical for companies and outside counsel to understand the differences between U.S. rules and foreign rules. 

[Any reason to "up"grade? Not seeing any.]

The selling points for Windows 10 that are being pushed are really rather comical.  Most, if not all, were already available in Windows 7 and are downright trivial and condescending.  For daily updates and rehashing of these, just check the @MicrosoftHelps or @WindowsSupport Twitter feeds.  All I can do is shake my head.  These are actually touted on their website or other MS media as exciting new features:

• It has a Start Menu!!!
• You can change the wallpaper!!!  
• You can doodle on webpages!!!
• It has Solitaire - with an exciting new subscription fee!!!
• You can use Bing to search!!!
• It has speech recognition!!! 
• It supports Office 365!!!
• The Control Panel is gone!!!
• We removed the text "PC"!!!
• You can download apps!!! (formerly called 'applications, software, or programs" but those words are too long, silly!!!)
• You can upload stuff to the internet!!!! (OneDrive)
• You can view photos!!!  ("photographs" is also too long of a word, silly!!!)

I was genuinely excited to see the next iteration of bad OS, good OS, bad OS, good OS, but this is now just a minimally viable product to satiate consumers and investors.  (But it's freeeeee!!!!)  I would've gladly paid for an OS with at least a college-try at innovation, but innovation is dead at Microsoft.  Windows is dead and is no longer their focus.

 

The only innovative feature of Windows 10 is how they've managed to include a mechanism capable of circumventing data encryption with their forced automatic updates.  Strangely enough, the gov't task force on the "encryption problem" even agrees that users should be able to disable the automatic updates.  (put on your tinfoil hat and read page 6 of the actual draft proposal here)