A security researcher from Colombia has found Microsoft's Windows operating system has an easy-to-implement RID hijacking vulnerability that allows hackers to use a guest account to gain access to the affected computer's administrator. This bug hasn't been noticed by anyone for 10 months. Read this post to learn this bug, and how to protect your PC data from this attack.
Researchers Find a Simple Way of Backdooring Windows PCs
Recently, a security researcher named Sebastián Castro has discovered a way to gain admin rights and boot persistence on Windows PCs. This way of backdooring computers is very simple to run, but difficult to stop. The bug has been around for 10 months, but Microsoft has not fixed it.
According to Sebastián Castro, this vulnerability was found in December 2017, and now it has been around for 10 months. However, the bug hasn’t received any media coverage and hasn’t been employed in malware campaigns although it is easy to exploit.
RID hijacking
This researcher discovers that this technique targets one of the Windows users accounts parameters, known as RID (Relative Identifier).
The RID is a code that is added at the end of account security identifiers (SIDs) describing user’s permission group. And there are several RIDs available, but the most commonly used ones only include two RIDs, such as 500 for the admin account and 501 for a standard guest account.
With the help of CSL CEO Pedro García, Castro also has found that he can modify the RID related to a specific account and grant a different RID to another account group by rewriting registry keys that store the information about each Windows account. Hence, the term is ‘RID hijacking.’
According to the introduction, this method cannot be used to remotely infect a computer by hackers unless the computer password is exposed on the internet. But hackers can crack the password on a computer account by brute-force to get admin permissions with full system access and gain a permanent backdoor on a Windows PC.
Besides, it is effective for any modifications made to an account’s RID before it is fixed since registry keys are also boot persistent.
The attack is also very reliable and after testing, researchers find it can work on many Windows operating systems, including Windows XP/7/8/8.1/10 and server systems from Server 2003 to Server 2016.
What’s serious is that this attack doesn’t trigger a system warning to the victim since it is deployed by fully using system resources.
Currently, it is possible to detect if a computer has been a RID hijacking victim only when entering Windows registry and checking for inconsistencies on security account administrators. If a guest account ends with a 500 RID, it means this account gains admin access and someone has modified registry keys, which is a dead leak.
No Response from Microsoft
CSL has informed Microsoft of the vulnerability, but Microsoft has not formally responded or patched it.
Thankfully, malware authors haven’t noticed this technique or at least no such incidents regarding RID hijacking have uncovered yet.
Protect PC Data from the Attack
RID hijacking is simple, stealthy, and persistent, so it is the Windows flaw that hackers like most. To protect PC from RID hijacking and avoid data loss, what should you do?
The most important thing is to back up your PC regularly. To do this, MiniTool ShadowMaker, free backup software, will be a good choice. It can be used for system, file, disk or partition backup automatically. Just get it for a try, otherwise, the PC data may get lost after the attack.
About The Author
Position: Columnist
Vera is an editor of the MiniTool Team since 2016 who has more than 7 years’ writing experiences in the field of technical articles. Her articles mainly focus on disk & partition management, PC data recovery, video conversion, as well as PC backup & restore, helping users to solve some errors and issues when using their computers. In her spare times, she likes shopping, playing games and reading some articles.
User Comments :