Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

Token Kidnapping's Revenge

exploiting, Windows
Cesar Cerrudo
Black Hat USA 2010
Indexed on
Mar 27, 2013
File name
File size
168.1 KB

On April 14, 2009 Microsoft released a patch (documented here) to fix the issues detailed in my previous Token Kidnapping presentation (download PDF). The patch properly fixed the issues but... This new presentation will detail new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7. These new attacks allow to bypass new Windows services protections such as Per service SID, Write restricted token, etc. It will be demonstrated that almost any process with impersonation rights can elevate privileges to Local System account and completely compromise Windows OSs. While the issues are not critical in nature since impersonation rights are required, they allow to exploit services such as IIS 6, IIS 7, SQL Server, etc. in some specific scenarios. Exploits code for those services will be released. The presentation will be given in a very practical way showing how the new issues were found, with what tools, techniques, etc. allowing the participants to learn how to easily find these kind security issues in Windows operating systems.

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !