Patch Lady – 31 days of Paranoia – Day 18

Today we’re taking a break from our normal paranoia to discuss a recent vulnerability.  The headlines imply that a guest user can gain admin rights via this attack.  But that’s not how I’m reading this.  The Windows RID hijacking as per the blog “Assign the privileges of the hijacked account to the hijacker account, even if the hijacked account is disabled.”.  That is the account you attacked can then assign the rights to another account.  IF the account you hijacked is the administrator account you can then assign those admin rights to a lower level account.  So it does hide the fact that one has a back door in the system.  But… here’s the thing… you already had to have been hacked by something or someone before the RID hijacking could occur in the first place.

Castro, with help from CSL CEO Pedro García, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group.
The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password.
But in cases where a hacker has a foothold on a system –via either malware or by brute-forcing an account with a weak password– the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.

So the real issue is that you were hacked by something else first… and then this obfuscation can occur.

Sometimes in security it’s hard to get a real sense of the true risk.  We spend hours in TSA lines but aren’t really any more secure than we think.

Bottom line don’t be quite so paranoid about this vulnerability.  Be more concerned about something you probably have absolutely no control over.  The bigger vulnerability we all should be freaking out over is the Libssh authentication vulnerability.  This vulnerability “it allows anyone to authenticate to a server without any credentials, simply by telling the system that they’re a legitimate user.”  As is written on the Threatpost post, it’s the equivalent of the Jedi mind trick… the attacker can just say “these aren’t the droids you are looking for” and gain access.  Do you know what applications you currently use rely on Libssh?  No, we don’t.

That my friend is true paranoia.  When we know we probably are at risk, but don’t know what software might be at risk.