 Hi everybody. I'm here to present and demonstrate to you a new method and tool I formed. It's called bit inject and it lets you as the local administrator to gain and execute any program of your will as the local system user in session zero. First a couple of words about myself. I'm Dor Azuri. After a couple of years in the IDF I now do security research at Safe Reach in Israel. Started from data analysis to network research and I'm doing mostly software research of many kinds of creatures. The bad ones such as ransomware and other malware. And the good ones such as this Windows component. This whole method is about two general techniques that are used. I'm attacking the serialization mechanism that beats users. We will talk about it. And doing a trick, a debugging trick to bypass a security check that is enforced by this service. First let me introduce this mechanism. And I say mechanism because bit is not only a service, it is also a protocol. You might already know it as a protocol. It sits on top of HTTP. It had some new behavior using new headers and different handling of the request. It stands for background intelligent transfer service. And I asked myself why is it called intelligent? There are two reasons I think. It has many advantages and it optimizes the bandwidth usage to obtain better transfer rates. In short, this service lets you as any client, as a programmer or as a utility to transfer files. Either upload or download. It is here with us a long time ago since Windows XP since 2001. It had four major versions since then. We're now at version four since 2012. It is used mostly by software to download updates in the background. It is a good candidate for doing that. And the most known use and popular use that you may already know is the use that Windows update is doing with bits. It has many advanced features such as doing retries on errors, such as using proxies and authentication, and many others. And last but not least is the feature of defining a callback. It's called a command line, a notification command that lets you define a program to execute when the job ends. You can look at the operations and the different actions that it's doing using an event viewer when you filter the bit's client. Now, we'll start with the demonstration. I'll take you with this one click tool. It has many other features but I do the easy mode. I will take you to an interactive session in session zero and you will see how fun it is to be the system. First, I just empty the queue for it to be easy to understand. It can work with a full queue as well. I'm talking about the queue that bits maintains for all the jobs that is handling. Sorry for that. Yeah, thanks. So the easy interface, this parameter to give, and all you have to give it is the program you want to execute. You give the pet. Sorry. And that's it. It starts with building a payload of the job, a binary payload that will be injected into the queue. We'll go over the exact details afterwards. And on the second screen, I can show you how the queue looks in a specific time. Sorry about that. Yeah. So after the execution has ended, the queue has returned to be empty just as it was before. And if you notice, we got a notification. A pop-up by Windows saying that the service is trying to communicate with the active desktop. So we'll go and view that message. And this is the place. This is session zero. And if you're confused of what we are here, you can ask the computer. We are the system. There are many cool things you can do here. You'll see very strange behavior when you try and spawn different programs, even the explorer. We won't have time to do that now, but you can try it with yourself. Yeah. So I was very excited to see this place in the first time. I guess that if you never have developed a service yourself, you didn't get to see that. I haven't as well. So we'll go about a couple of basic terms about bits before we understand the method. Bits can be used by many different programs and utilities. There's a built-in utility in Windows called BitsAdmin. It is now deprecated and you can use the PowerShell commandlets to control bits now in the recent versions. You can also use one of the third-party apps or create your own. So jobs, bits jobs are added from many different sources. All of them are either of one type. Download and upload or an upload reply. They're all using the com interface using the QMGR proxy that proxies the real implementation, the calls to the real implementation at QMGR and the LL. It is important to understand that bits need to maintain and asynchronously handle all the requests and all the transfer jobs. And for doing that, bits maintains a state file. This is just a binary representation on the hard disk of the whole queue of the jobs and the job objects themselves. This is where the attack happens. We will take, we will understand it in a few minutes. Now, each job that is added has an owner. The owner is the user that requested the job and only this user can then make actions on that job, crucial actions. Bits has many known malicious users before. It is used as a malware downloader just using PowerShell commandlets. And as a persistency mechanism, it can be used to trigger a job that will re-download the same binary and will execute it even months after the creation. Yeah. Okay. Thanks. It is also used to do C2 communication, taking advantage of the advanced features such as the proxies and authentication. It is a good candidate for a malware to use it to communicate. So what is the real abuse we are doing? I've started with looking at how many, how different programs are using bits. And I was very jealous of how Windows Update Service is using bits to download updates and then execute them as the system. The enabling feature that hides behind the notification command line, the callback that I recently, that I previously told you about. What's behind it is just a call to set notify command line, which eventually calls create process as user. And this is what we are taking advantage of. If the user, the owner of the job is a system, then the command line will be executed as system. So what we really, really want to do is create our own job and system being its owner. So the first naive try was using PSX. PSX lets me execute my own command as the system user. But PSX gives you the interface at your own session, at the user session and not at session zero. Session zero is where the service that PSX creates runs. So I started with an naive try and wanted to create a job. And the creation was successful because it only adds a new GUID to the queue. But trying to do a real crucial operation such as adding the file definition to be transferred caused an error. And the exception was unable to add file to job. The operation being requested was not performed because the user has not logged on to the network. And this is crucial to understand that security enforcement that we will later bypass. And the funny part about that is that when I tried to cancel or delete the job using the command, I couldn't and I got the same exception. So I got to into an absurd situation where God in this case system created a job that he cannot delete. And actually this was my first clue to go and investigate the state file because the only way I have found to delete that job was to completely delete the state file which holds all the queue. So I went over and looked at the flow that Windows Update is using to create a job. And the first would be to get the context of the server, the bit server. And then naturally you would create the job. And this is one of the API calls that QMGR offers. So if you look in this example you see the description parameter being a WU client download. And if you look at your computer, while it downloads an update for Windows, you will see at the queue at least one job with this description. Then the next thing just like we did in the command line is adding a file definition. Then only when you call explicitly to resume the job will start and transfer the files. The two last calls are actually being called by the bit service itself internally when it decides that new transfer chunk should be transferred. So I compared these two flows, the one valid one that we got from Windows Update and the failed one that I tried with PSX. The first call was identical in parameters and succeeded in both. And the last call, the second call was identical in parameters but we got an exception when we were running from PSX. I dig into the reason and found that the security enforcement that is done here. Every operation that is done on the job needs to be verified. The client, the user that requested it, is logged on on that session. And the reason we got an exception is because the user, the system was not logged on in session one where PSX would let me execute the commands. So what was the solution? Just faking the session ID in memory. So this is the flow that is performed before any call. First, Bits wants to switch to the login token of the user that requested the action. It needs to clone it. And to find the real token that it needs to clone, it just iterates through all the logged on users in the session that was requesting the action. Now the session is acquired by get token information call. And when we accepted, when we run this with PSX, we got exception because system is not logged on in session one. All we had to do is change the in memory, the return value of that API code to zero and Bits would then search for the logged on user in that session. And of course that succeeds because system is logged on in session zero. This is how we bypass the security check at this gate. But the new job which is now valid and is in the state file is in suspended state. This is the initial state for each job that is added. And it means that it won't start transfer or execute. So I went back to the state file where you remember I saw that it can control all the flow of the jobs that Bits maintains and that really is. The state file is actually two files that are updated alternately and the current effective one is stated in the registry in that value. So I remind you, we want to move the job from a suspended state to queued state where it will start an execution. And what's in the state file? The state file is just a clear straightforward binary representation of the job objects and the queue at whole. For example, a string representation would look like that. Very easy to understand. And this is really is how you're going to see it when you edit the file. It is unencrypted. And it is partially protected because as long as the service is on and running, you won't be able to edit it even not as the administrator. But when you stop the service, the administrator has full access to that file. I remind you, this is what we want to do. And that is the complete layout of the method and what the tool does. It stops the service, modifies the file, the file puts them in place and starts the service again. When the service restart, it just loads the objects, the binary representation of them, loads them to memory and continue with the execution. And when we do that and look at the queue, we can see that we added the file, we added the job with the system being the owner. It is now connecting, meaning the execution has started. And when it ends, the command line would be the CMD run as system in an elevated integrity level. So from that point, after we have managed to do it once, I wanted to make the solution better. And migrating the files to another machine on the same location, surprisingly did the job. I just copied the file to another machine and the machine would have the same queue as the original machine. It is not machine dependent, but it is version dependent. Different versions have slightly different state files structure and it's not hard to see the difference. There's no new capabilities. This is just a glimpse of how it looks and you will get the parser for looking at your state files for yourself. And another improvement I want to do is to not overwrite existing jobs. If I go and put the whole file on a different machine, I would ruin the existing job and interfere with them. So what we had to do is just increase the job counter, which is located somewhere at the top of the queue structure and push the job payload, the binary payload, to the right place. This is what the tool does. It just injects the local system job, its binary payload, it removes it when it finishes and what you get is what you see, what you saw before, is the execution of the program that you specified. You can also change the job parameters and do many more. The easy way to do that is what I showed you before. And if you noticed, we had to go to the end of the job to really get the execution. The end of the job can be either a completion of the transfer or going into error state. And I wanted to accelerate the time that it takes to get into error state. So on Windows 7, I just set up a local host and intentionally put an answer to the request that will cause an error. The job immediately goes into error state and the execution starts. On Windows 10, it is even better because you don't even have to produce any network traffic. If you fake the volume serial number, which is one of the properties of the job, you get a mismatch from the path that you specified and the visual volume serial number and the error will happen before any network traffic is made and you will immediately get the execution. Other potential abuses I've seen along the way is choking specific Windows update. When it downloads a file, it first creates a hidden file in a very specific format of a name. This format encloses only about 70,000 names. So if I create 70,000 hidden names, 70,000 hidden files with that name, I choke all the namespace that bits can use and it just fails. And the error you will see is not very indicative, it just says that Windows encountered a problem. And you can also use the proposed method to create jobs and modify current jobs and just think what you can do with that for other programs that use bits. That was the Microsoft Security Center response. The administrator can do much worse things. And that's it. You can see the links here. You can find the tool code and the parser and the site development which is the simple bit server and hit me up for any requests or questions. Thank you.