"The issue focuses on how Windows handles these directories for specific user sessions. Because the kernel creates a DOS device object directory on demand, rather than at login, it cannot check whether the user is an admin during the creation process. Unlike UAC, Administrator Protection uses a hidden shadow admin account whose token handle can be returned by the system when calling the NtQueryInformationToken API function."
"The researcher demonstrated that attackers can modify the token's owner security identifier to match their own user ID. Impersonating this token means that an attacker can force the kernel to create a new directory and assign ownership to them, effectively being able to control it."
Nine vulnerabilities reported in December could allow attackers to silently grant themselves admin privileges on machines with Administrator Protection enabled. Microsoft patched the bugs before the feature reached general availability; the feature is currently limited to Insider Canary builds. Administrator Protection grants temporary, pre-approved admin privileges that are revoked automatically per process. A notable Logon Sessions flaw exploited DOS device object directory creation on demand, preventing admin checks. Administrator Protection exposes a hidden shadow admin token; attackers can modify token owner SIDs, impersonate the token, and force kernel directory creation and ownership, enabling privilege escalation.
#windows-administrator-protection #privilege-escalation #token-manipulation #dos-device-object-directory
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]