
Windows 10 Privilege Escalation via Dolby's DAX2_API Service - x42
http://x42.obscurechannel.com/?p=263
======
frik
"System" is the highest privilege, like "root" on Linux.

~~~
jodrellblank
Not necessarily in Windows 10 Enterprise, there can be some limits to what
"System" can access, with a feature designed to protect credentials from
exploited drivers:

 _With Windows 10 and Device Guard, credentials are stored encrypted using
Hyper-V, an approach known as "virtualization-assisted security." Credential
Guard blocks access "even when an untrusted program has full administrative
access to your environment,"_

 _Drivers can 't get into the Local Security Authority of Windows 10_

[https://redmondmag.com/articles/2015/10/28/windows-10-creden...](https://redmondmag.com/articles/2015/10/28/windows-10-credential-
guard.aspx)

~~~
creshal
So, System still has full access to ring 0, but some bits of the OS are moved
into the hypervisor "ring -1"?

~~~
WorldMaker
It seems a bit more inception-like than your numerics betray... The driver
ring 0 is now a deeper dream than hypervisor ring 0.

------
akx
So it's not even a vulnerability in the service's code, but in its metadata
(file permissions).

Neat!

------
x42
ships with Lenovo Thinkpads running windows 10 by default, possibly windows 8.

------
derFunk
I can imagine it would be possible to reverse engineer the service interfaces
of DolbyDAX2API.exe ("exported functions"), write a wrapper which embeds the
original executable and forwards the service requests to the original
implemententation. The wrapper could contain malicious code and intercept the
service calls. This could be even done generically. Maybe something like this
exists already anyway. This way nobody would notice that something is wrong -
functionality wise. Perfect eavesdropping on Windows services.

~~~
roddux
I was thinking this was where the article was going, but the solution ended up
being a lot simpler. It leaves traces and notifies the user, though...

I suppose yet another way would be to make a copy of the executable before the
overwrite, then restore it after gaining a stable SYSTEM shell.

------
CrowFly
Is this "Dolby DAX2" a standard component? There's no trace of it on my stock
Windows 10 Surface Book.

~~~
rasz_pl
its value added BS. Dolby tries very hard to be Creative 2.0 by pushing
patented crap into standards (hdmi, bluray) to position itself as essential
for hi def audio = collect patent tax.

~~~
creshal
The ubiquity of DTS in the PC and hifi market is probably scaring the crap out
of them.

------
libeclipse
This is really an argument about whether or not proprietary systems are
inherently more secure. I run Arch on my main system, and when a vulnerability
is disclosed, it's often patched within hours. Windows is littered with bugs,
vulnerabilities, and security holes. Older versions have been left to rot,
leaving thousands of systems vulnerable.

Of course, it could be argued that the weakest link in the chain is the user,
but with a vulnerability like this one, I don't see how that applies.

~~~
worewood
In this case the "user" is the system manufacturer who developed an
exploitable application, in this case, Lenovo.

Lenovo could sell a Linux PC with a similar application that communicated with
a daemon running as root which binary was saved in /bin with 0777 permissions.

There is nothing special about Windows that makes this vulnerability possible.

The end user mistake here was buying Lenovo.

~~~
bizarref00l
For things like this SELinux really comes in handy.

