EXPLOITING WINDOWS VISTA RESOURCE VIRTUALIZATION
James Forshaw, Google
One of the big changes in Windows Vista was the introduction of UAC. Many Windows applications were written assuming they had complete control over all file and registry locations, by separating our administrators UAC created an application compatibility nightmare. These existing applications would try and write to the Windows folder or HKEY_LOCAL_MACHINE and fail to work correctly or in the worse cases crash. In order to deal with the problem, Microsoft added file and registry virtualization which transparently redirects administrator only registry and file access to user accessible locations. This code is complex and inevitably have security implications.
This presentation will go into how these virtualization mechanisms work on Windows 10 and explain in detail how I was able to exploit them for local privilege escalation.