This year at DEF CON, in addition to a repeat of the Black Hat research “Adventures of AV and the Leaky Sandbox” by Amit Klein and Itzik Kotler, our SafeBreach Labs researcher Dor Azouri also presented a new hacking technique exploiting Windows BITS.
What is BITS? It’s a mechanism (service and protocol) that facilitates transferring files over HTTP asynchronously in the background-- featuring priorities, fail recovery, and persistency. Its most widespread use is to download Windows updates from Microsoft servers. Many other programs use it as well for downloading updates.
Dor demonstrated a hacking technique that exploits a flaw in Windows BITS’ object serialization model and uses it to change job properties, run programs and execute other unauthorized functions, ultimately gaining code execution as the LocalSystem privileged user.
For more information, check out the details on the technique in our whitepaper here.