Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM

DerbyCon 6.0 - Recharge

Presented by: Stephen Breen, Chris Mallz
Date: Friday September 23, 2016
Time: 14:00 - 14:50
Location: Regency South
Track: Teach Me

At Shmoocon early this year, we released Potato, a new method and tool that took advantage of neglected 15 year old issues in all versions of Windows to elevate any user's privilege to SYSTEM in default configurations. We had planned on releasing a much improved version of said tool here at Derbycon, but Microsoft had other plans. On June 14, 2016 we were surprised to find that Microsoft released MS16-075 which seems to break Potato. Luckily we still have one more trick up our sleeves that has proved useful in real-life scenarios. We will be discussing a technique based on the Potato exploit that allows for elevation from many Windows service accounts (such as those used by IIS and SQL Server) to SYSTEM in default configurations on all Windows versions.

Stephen Breen

Chris Mallz


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats