[WINPEAS] Add privilege escalation check: Windows Exploitation Technique Amplifyin... #539
+63
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…chnique: Amplifying Race Windows via Slow Object Manager
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔧 Automated Privilege Escalation Check Addition
🤔 Privilege Escalation Reasoning
The blog post describes a generic, configuration‑independent Windows kernel exploitation trick for amplifying very small race windows by deliberately slowing down Object Manager Namespace (OMNS) lookups. This is not tied to a specific product version or an unusual, CTF‑style configuration; instead it applies whenever (a) the vulnerable kernel path does a check → NtOpenX(OM path) → privileged action pattern, and (b) the attacker can influence the named object path (or a symbolic link in the resolution chain) in a writable object directory such as \BaseNamedObjects. The technique provides two main primitives: (1) creating OM objects with extremely long single-name components (up to ~32k UTF‑16 chars limited by UNICODE_STRING.Length) so directory name comparisons become much slower; and (2) constructing very deep chains of Object Directories (up to ~16k levels) such that each directory resolution adds relatively constant overhead, resulting in a linear increase in NtOpenX latency. The post demonstrates that this reliably stretches lookup time from ~2 μs to tens of μs on current Windows 11 hardware, making marginal race-condition LPE exploits substantially more feasible. This is not an exploit for a specific fixed bug but a generally reusable exploitation aid for local privilege escalation through kernel race conditions, and thus is appropriate knowledge for winPEAS to highlight or reference as a generic technique.
🤖 Implementation Details
PEASS winpeas agent completed successfully with 123 items. Agent Comment: Summary:
ObjectManagerHelperthat safely probes whether the current context can create session-scoped named objects under\BaseNamedObjectsby creating and disposing a temporary event. This gives winPEAS a concrete signal for object-manager writeability without leaving artifacts.PrintObjectManagerRaceAmplification()inSystemInfo.cs, wired into the default check pipeline. The new section links to the December 2025 Project Zero write-up, reports whether the probe succeeded, and outlines the two practical primitives (32K single-component names and ~16K-deep directory chains plus symbolic links) so operators know how to stretch kernel race windows when they control OM paths.winPEAS/winPEASexe/README.mdso release notes mention the Object Manager race-window amplification check.Tests:
🏗️ Builder Agent Response
WinPEAS validation agent completed successfully with 56 items. Agent Comment: Summary:
SystemInfo.cs. Verified the call chain and ensuredwinPEAS.csprojnow includes the new helper so the module is compiled with the rest of winPEAS.Helpers/ObjectManagerHelper.csfor .NET Framework 4.8 compatibility: replaced the .NET 5-onlyEnvironment.ProcessIdwithProcess.GetCurrentProcess().Id, added the missingSystem.Diagnosticsimport, and converted the C# 8using varstatement into the classicusing (...) {}pattern so it compiles under the language version used by winPEAS.grepscans that no other files rely onEnvironment.ProcessId, reducing the risk of similar compatibility regressions. Manual inspection of the.csprojXML confirmed the structure remains valid after adding the helper.Tests/Validation:
dotnet msbuild winPEAS/winPEASexe/winPEAS/winPEAS.csproj /t:Build(fails because the Linux runner lacks the .NET Framework 4.8 reference assemblies; build will succeed once the targeting pack is available on a Windows/MSBuild environment).git statusand content inspections to ensure only the intended files remain modified.Outstanding:
Confidence: High
This PR was automatically created by the HackTricks Feed Bot. Please review the implementation carefully and test thoroughly before merging.