Researcher Will Demo Bypass of Windows Service Isolation Feature

A prominent researcher will use an upcoming security conference in Buenos Aires to demonstrate  an exploit that allows hackers to bypass the Windows Service Isolation feature, despite Microsoft’s efforts to close the security loophole.

A prominent researcher will use an upcoming security conference in Buenos Aires to demonstrate  an exploit that allows hackers to bypass the Windows Service Isolation feature, despite Microsoft’s efforts to close the security loophole.

Security researcher Cesar Cerrudo of Argeniss Information Security and Software said he will demonstrate an exploit he has developed that would allow hackers to bypass a security feature called Windows Service Isolation, which is intended to make it easier to access Windows objects without requiring a administrator level privileges. Cerrudo will use the upcoming ekoparty Security Conference in Buenos Aires to present his exploit.   

Writing to Threatpost.com, Cerrudo said that his presentation will demonstrate a method to bypass the Windows Service Isolation feature, allowing an attacker who is able to upload content to a Windows endpoint running applications such as SQL server and Internet Information Server (IIS) to elevate her privileges from the limited Local Service or Network Service account to the Local System account, providing broad access to install malicious code on or otherwise modify the system. 

“For instance it will allow you to compromise a Windows system if you can upload content to IIS or exploit any process running under (the) Network Service or Local Service account,” Cerrudo  wrote.

The demonstration, if successful, will poke a hole in a protection plan that Microsoft has proposed for the privilege escalation problem – part of a larger body of research on privilege escalation problems affecting all flavors of Windows that Cerrudo has documented in his paper “Token Kidnapping’s Revenge.”  

The tendency to run popular services with administrator-level privileges has been exploited in the past by to install malicious programs on Windows systems. Microsoft added the Windows Service Isolation feature as a configuration option for companies that wanted to harden Windows servers and clients against attack. 

Microsoft has responded to the problems raised by Cerrudo and others with a security update to the Windows Tracing Feature for Services, MS10-059 for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The company also issued a security advisory, for the Windows Service Isolation issue, which provides workarounds for Windows customers running Internet Information Server as well as a security fix for the privilege escalation problem that involves applying an update to the Windows Telephony API. 

Cerrudo said that the configuration changes suggested by Microsoft will protect Windows  machines running IIS, but not other applications. Windows shops that don’t apply the security fix suggested are vulnerable to privilege escalation attacks if they’re running other applications on affected systems. He suggests that Microsoft update its advisory to make it clear that the security fix described in the advisory is a requirement for any customer running applications other than IIS on affected systems. 

Microsoft said it feels confident that its patch and advisory adequately cover the  possible attacks that Cerrudo will demonstrate. Jerry Bryant, Group Manager, Trustworthy Computing, Microsoft said that its security advisory addresses “the potential for attacks that leverage the Windows Service Isolation feature by helping to clarify the proper use and limits of the Windows Service Isolation feature.” However, the company notes that the Windows Service Isolation is a “defense-in-depth feature, not a proper security boundary” and shouldn’t be treated as such. 

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.