October 18, 2018
A security researcher named Sebastián Castro has uncovered a way of gaining admin rights and boot persistence on Windows PCs that is not only simple to execute but hard to stop as well.
This technique manipulates a parameter of Windows user accounts named Relative Identifier (RID). Account security identifiers (SIDs) that define a user’s permissions group, typically have a RID code appended at the end.
While there are several different RIDs available, the most commonly used ones are 500 for admin accounts and 501 for the standard guest account.
By manipulating the registry keys that store information about each Windows account, one can modify the RID associated each account.
This RID can be changed and assigned to another account group which would also modify the permissions associated with it. Hence the term ‘RID Hijacking.’
Even though this method cannot be used remotely to hack a computer (unless it’s unprotected with a password and left exposed on the internet), attackers can gain control of a system either by malware or brute force.
They can simply grant admin permissions to a compromised low-level account, and thus create a permanent backdoor on a Windows PC with full system access.
To make it worse, this attack can be deployed without triggering an alert to the victim and works on Windows versions XP to 10 and from Server 2003 to Server 2016.
No response from Microsoft
What’s even more troubling is the fact that this exploit was found way back in December 2017 and Microsoft was notified about the same. But the company never responded or patched the vulnerability.
Thankfully, this technique has gone unnoticed by malware authors or at least no such incidents involving RID hijacking have surfaced yet.