Operating System philosophy

Going deeper into a rabbit hole.

Learning about the systems from a philosophical stance.

System designers had a vision and goal in mind when creating their products. The definition of a system is a set of rules, an arrangement of things, or a group of related things that work toward a common goal. An example of a system are the laws and procedures of a democratic government. ... An example of a system is all the organs that work together for digestion.

In all cases of systems, be it operating or biological ones, all interconnected parts work together to an end goal. Can the purpose of system be sustaining life and longevity of the system itself or is there something more to it?

Systeminfo vs uname -a

In IT world we have two major systems that dominate user experience – Windows and Linux. Similarities here are that an operating system is a program that manages a computer ’s hardware. It also provides a basis for application programs and acts as an intermediary between the computer user and the computer hardware. An amazing aspect of operating systems is how they vary in accomplishing these tasks. Main frame operating systems are designed primarily to optimize utilization of hardware. Personal computer (PC) operating systems support complex games, business applications, and everything in between. Operating systems for mobile computers provide an environment in which a user can easily interface with the computer to execute programs. Thus, some operating systems are designed to be convenient,others to be efficient,and others to be some combination of the two.

Now that we know the similar function that both operating system share, let’s look at the underlying philosophy of Linux and Windows.

Linux and the Unix Philosophy, by Mike Gancarz, quite informative:

An operating system, by its nature, embodies the philosophy of its creators... The creators of the Unix operating system started with a radical concept: they assumed that the user of their operating system would be computer literate from the start. The entire Unix philosophy revolves around the idea that the user knows what he or she is doing.

UNIX was not designed to stop its users from doing stupid things, as that would also stop them from doing clever things. -- unknown (generally attributed to a Doug Gwyn, but no information found about him)

Going through reflections of those who have used Unix system to it’s fully capabilities we see emphasis on freedom to make mistakes. Windows from another hand approaches user experience from a different standpoint:

For example, the philosophy of Windows is very similar to that of Digital Equipment Corporation's (DEC) VMS operating system. It amounts to "shield the users from everything that might get them into trouble." Of course, the reason for this similarity is that the prime developer of Windows NT is the same person who developed VMS. The philosophy of both operating systems is based on the underlying belief that users are afraid of computers and need to be shielded from their complexity.

Taking power of responsibility away from users between giving them more power. What does it take to break the system ?

Comparison:

https://www.youtube.com/watch?v=-ccSckKZA6E – no hassle

https://www.youtube.com/watch?v=BBWT2CqEsO0 – lots of hassle.

With that in mind let’s dive into understanding the operating system architecture, starting from kernel:

The kernel is the core of the operating system. It performs functionalities such as communicating with hardware devices, process management, file handling, and many other tasks. Various operating systems have different kernels depending on the type of OS. Moreover, devices in Windows and Linux have different kernels.

Structure of the Windows NT Kernel:

Diagram of the functions of Windows NT kernel

This is where and why we "enumerate" with the aim of privilege escalation - process of gaining more control over the system. Lets call it a revolution or process of overthrowing a kernel, metaphorically speaking.

Extracting information about Windows kernel version can be done through:

Navigating to C:/Windows/System32 and checking version of ntoskrnl.exe

Command line:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 10 Enterprise LTSC
OS Version: 10.0.17763 N/A Build 17763

Powershell:

Get-CimInstance Win32_OperatingSystem | Select-Object Caption, CSDVersion, ServicePackMajorVersion, BuildNumber | FL
Caption : Microsoft Windows 10 Enterprise LTSC
CSDVersion :
ServicePackMajorVersion : 0
BuildNumber : 17763
[System.Environment]::OSVersion.Version
Major Minor Build Revision
----- ----- ----- --------
10 0 17763 0

Or WMIC (Windows Management Instrumentation Command):

wmic os get buildnumber,caption,CSDVersion /format:csv
Node,BuildNumber,Caption,CSDVersion
DESKTOP-JHU119R,17763,Microsoft Windows 10 Enterprise LTSC,

Why is it important to know Windows kernel version from a security standpoint ?

└──╼ $searchsploit Microsoft Windows kernel | grep local
Microsoft Windows 10 (Build 1703 Creators Update) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation | exploits/windows_x86/local/43192.c
Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass (MS15-052) | exploits/windows/local/37052.c
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS16-039) | exploits/windows_x86/local/44480.cpp
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017) | exploits/windows_x86/local/44479.cpp
Microsoft Windows Kernel - Intel x64 SYSRET (MS12-042) | exploits/windows_x86-64/local/20861.txt
Microsoft Windows Kernel - Local Privilege Escalation (MS06-049) | exploits/windows/local/2412.c
Microsoft Windows Kernel - 'win32k.sys' Local Privilege Escalation (MS14-058) | exploits/windows/local/39666.txt
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (1) | exploits/windows/local/40823.txt
Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2) | exploits/windows/local/41015.c
Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit) | exploits/windows_x86/local/33213.rb
Microsoft Windows Server 2000 Kernel - APC Data-Free Local Escalation (MS05-055) | exploits/windows/local/1407.c
Microsoft Windows Vista - 'iphlpapi.dll' Local Kernel Buffer Overflow | exploits/windows/local/32590.c
Microsoft Windows XP/7 Kernel - 'win32k.sys' Keyboard Layout Privilege Escalation (MS10-073) | exploits/windows/local/36327.txt

That basic enumeration is the one that is most commonly used. However, attempt at exploitation of Windows Kernel does not end here at all. We still needed to explore other avenues as pointed out in the Kernel diagram below:

Company -> Executive power -> Managers -> Little guys ?

The Windows Executive services make up the low-level kernel-mode portion, and are contained in the file NTOSKRNL.EXE.[8] It deals with I/O, object management, security and process management. These are divided into several subsystems, among which are Cache Manager, Configuration Manager, I/O Manager, Local Procedure Call (LPC), Memory Manager, Object Manager, Process Structure and Security Reference Monitor (SRM). Grouped together, the components can be called Executive services (internal name Ex). System Services (internal name Nt), i.e., system calls, are implemented at this level, too, except very few that call directly into the kernel layer for better performance

2.

Security Reference Monitor - The primary authority for enforcing the security rules of the security integral subsystem.[20] It determines whether an object or resource can be accessed, via the use of access control lists (ACLs), which are themselves made up of access control entries (ACEs). ACEs contain a Security Identifier (SID) and a list of operations that the ACE gives a select group of trustees—a user account, group account, or login session[21]—permission (allow, deny, or audit) to that resource.[22][23]

2.a

I see ACLS or short ICACLS.exe.

Linux alternative to chown allows to check folders permissions and with /save it extracts the SID permissions as well:

icacls c:\windows\Temp /save Desktop/New.txt
processed file: c:\windows\Temp
Successfully processed 1 files; Failed processing 0 files

Output:

more Desktop\New.txt
Temp
D:PAI(A;CI;0x100026;;;BU)(A;;FA;;;BA)(A;OICIIO;FA;;;BA)(A;;FA;;;SY)(A;OICIIO;FA;;;SY)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;S-1-5-21-2437496762-2379314466-1107088517-1001)S:AINO_ACCESS_CONTROL

2.b

SID known as Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life (in a given domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.

How to find out more information about SID's ?

From a command line:

whoami /user
USER INFORMATION
User Name SID
===================== ==============================================
DESKTOP-JHU119R\admin S-1-5-21-2437496762-2379314466-1107088517-1001

WMIC:

wmic useraccount get name,sid
Name SID
admin S-1-5-21-2437496762-2379314466-1107088517-1001
Administrator S-1-5-21-2437496762-2379314466-1107088517-500
DefaultAccount S-1-5-21-2437496762-2379314466-1107088517-503
Guest S-1-5-21-2437496762-2379314466-1107088517-501
WDAGUtilityAccount S-1-5-21-2437496762-2379314466-1107088517-504

Powershell - finding the little guys

get-wmiobject -class "win32_account" -namespace "root\cimv2" | sort caption | format-table domain,name, __CLASS, SID
domain name __CLASS SID
------ ---- ------- ---
DESKTOP-JHU119R Access Control Assistance Operators Win32_Group S-1-5-32-579
DESKTOP-JHU119R admin Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-1001
DESKTOP-JHU119R Administrator Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-500
DESKTOP-JHU119R Administrators Win32_Group S-1-5-32-544
DESKTOP-JHU119R ANONYMOUS LOGON Win32_SystemAccount S-1-5-7
DESKTOP-JHU119R Authenticated Users Win32_SystemAccount S-1-5-11
DESKTOP-JHU119R Backup Operators Win32_Group S-1-5-32-551
DESKTOP-JHU119R BATCH Win32_SystemAccount S-1-5-3
DESKTOP-JHU119R BUILTIN Win32_SystemAccount S-1-5-32
DESKTOP-JHU119R CREATOR GROUP Win32_SystemAccount S-1-3-1
DESKTOP-JHU119R CREATOR GROUP SERVER Win32_SystemAccount S-1-3-3
DESKTOP-JHU119R CREATOR OWNER Win32_SystemAccount S-1-3-0
DESKTOP-JHU119R CREATOR OWNER SERVER Win32_SystemAccount S-1-3-2
DESKTOP-JHU119R Cryptographic Operators Win32_Group S-1-5-32-569
DESKTOP-JHU119R DefaultAccount Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-503
DESKTOP-JHU119R Device Owners Win32_Group S-1-5-32-583
DESKTOP-JHU119R DIALUP Win32_SystemAccount S-1-5-1
DESKTOP-JHU119R Distributed COM Users Win32_Group S-1-5-32-562
DESKTOP-JHU119R ENTERPRISE DOMAIN CONTROLLERS Win32_SystemAccount S-1-5-9
DESKTOP-JHU119R Event Log Readers Win32_Group S-1-5-32-573
DESKTOP-JHU119R Everyone Win32_SystemAccount S-1-1-0
DESKTOP-JHU119R Guest Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-501
DESKTOP-JHU119R Guests Win32_Group S-1-5-32-546
DESKTOP-JHU119R Hyper-V Administrators Win32_Group S-1-5-32-578
DESKTOP-JHU119R IIS_IUSRS Win32_Group S-1-5-32-568
DESKTOP-JHU119R INTERACTIVE Win32_SystemAccount S-1-5-4
DESKTOP-JHU119R IUSR Win32_SystemAccount S-1-5-17
DESKTOP-JHU119R LOCAL Win32_SystemAccount S-1-2-0
DESKTOP-JHU119R LOCAL SERVICE Win32_SystemAccount S-1-5-19
DESKTOP-JHU119R NETWORK Win32_SystemAccount S-1-5-2
DESKTOP-JHU119R Network Configuration Operators Win32_Group S-1-5-32-556
DESKTOP-JHU119R NETWORK SERVICE Win32_SystemAccount S-1-5-20
DESKTOP-JHU119R OWNER RIGHTS Win32_SystemAccount S-1-3-4
DESKTOP-JHU119R Performance Log Users Win32_Group S-1-5-32-559
DESKTOP-JHU119R Performance Monitor Users Win32_Group S-1-5-32-558
DESKTOP-JHU119R Power Users Win32_Group S-1-5-32-547
DESKTOP-JHU119R PROXY Win32_SystemAccount S-1-5-8
DESKTOP-JHU119R Remote Desktop Users Win32_Group S-1-5-32-555
DESKTOP-JHU119R REMOTE INTERACTIVE LOGON Win32_SystemAccount S-1-5-14
DESKTOP-JHU119R Remote Management Users Win32_Group S-1-5-32-580
DESKTOP-JHU119R Replicator Win32_Group S-1-5-32-552
DESKTOP-JHU119R RESTRICTED Win32_SystemAccount S-1-5-12
DESKTOP-JHU119R SELF Win32_SystemAccount S-1-5-10
DESKTOP-JHU119R SERVICE Win32_SystemAccount S-1-5-6
DESKTOP-JHU119R SYSTEM Win32_SystemAccount S-1-5-18
DESKTOP-JHU119R System Managed Accounts Group Win32_Group S-1-5-32-581
DESKTOP-JHU119R TERMINAL SERVER USER Win32_SystemAccount S-1-5-13
DESKTOP-JHU119R Users Win32_Group S-1-5-32-545
DESKTOP-JHU119R WDAGUtilityAccount Win32_UserAccount S-1-5-21-2437496762-2379314466-1107088517-504

But what do those number mean ?

All SID fields have a specific meaning; so, for the above sample SID:

  • S: The initial S identifies the following string as a SID.

  • 1: The revision level, or version, of the SID specification. To date, this has never changed and has always been 1.

  • 5: The identifier authority value. This is a predefined identifier for the top-level authority that issued the SID. This is typically 5, which represents the SECURITY_NT_AUTHORITY.

  • 21-4064627337-2434140041-2375368561: This section is the domain or local computer identifier (in this example, a domain identifier). This is a 48-bit string that identifies the authority (the computer or domain) that created the SID.

  • 1036: The Relative ID (RID) is the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain security authority that issued the SID. Any group or user that the Windows OS doesn't create has a RID of 1000 or greater by default.

Individual SID can be queried with:

sc showsid trustedinstaller
NAME: trustedinstaller
SERVICE SID: S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
STATUS: Active

https://www.exploit-db.com/exploits/44630

C:\Windows\System32\hall.dll

The HAL is loaded into kernel address space and runs in kernel mode, so routines in the HAL cannot be called directly by applications, and no user mode APIs correspond directly to HAL routines. Instead, the HAL provides services primarily to the Windows executive and kernel and to kernel mode device drivers. Although drivers for most hardware are contained in other files, commonly of file type .sys, a few core drivers are compiled into Hal.dll.

User mode:

UAC, which has a similar architecture to Privilege Guard, as both are implemented in user mode.