Slides here: /redirect?q=https%3A%2F%2Fdefcon.org%2Fimages%2Fdefcon-22%2Fdc-22-presentations%2FCampbell%2FDEFCON-22-Christopher-Campbell-Path-Less-Traveled.pdf&v=-SqAlpANtIs&redir_token=SdKzJ9Gu2Y1csKhcbu9EfL6vAqF8MTUzNzM5ODA2MkAxNTM3MzExNjYy&event=video_description
The $env:PATH less Traveled is Full of Easy Privilege Escalation Vulns
Christopher Campbell SECURITY RESEARCHER
15 years after APT was released for Linux, Microsoft is finally going to ship Windows with a package manager! Windows PowerShell OneGet is the easiest and fastest way to install applications and will be a fundamental part of how Microsoft wants you to administer your enterprise. In this talk we will go over OneGet, Nuget and Chocolatey and observe some of the security problems that will have to be overcome before widespread adoption. We will go over the hundreds of privilege escalation vulnerabilities that were found in the over 1800 unique packages that are already available on the repository server. We will also demo vulnerabilities against one of the package managers and PowerShell itself. Come see how to find third-party privilege escalation bugs at scale with the newest addition to PowerSploit.
Chris is a security practitioner with over a decade of experience attacking and securing enterprise networks. Currently, he is a security researcher and developer for the Harris Corporation. Formerly, Chris spent over 12 years in the U.S. Army Reserve and spent four years as an operator in the Computer Exploitation section of the U.S. Army Red Team. He has a Master of Science in Information Assurance from Capitol College and holds several industry certifications that he’d prefer you not hold against him. Chris is one of the developers of PowerSploit and has given presentations at BlackHat USA, Derbycon, Shmoocon Firetalks and multiple Bsides events. He maintains a blog at www.obscuresec.com and is active on twitter (@obscuresec).