Unpatched Windows Flaw Lets Attackers Backdoor Systems

Credit: CSLCredit: CSLSebastián Castro, a security researcher from Colombia working for the CSL security company, has found a Windows vulnerability that could allow an attacker to install a permanent backdoor in users' systems. The researcher said Microsoft is yet to fix this flaw.

Windows RID Hijacking

Castro found that the Relative Identifier (RID) that is assigned to Windows user accounts to describe their respective permission group could be modified with a simple registry change. Attackers could use the technique to gain administrative privileges and take control of the user’s system.

Attackers can’t make this change remotely, unless the user’s PC is somehow already exposed to attacks from the internet via open and non-secure ports or if the attackers already gained remote access to the system via malware.

However, if the hackers can brute force a user’s account password or get the user to install an infected file via email or some other medium, then they can gain a permanent backdoor with full system access.

Credit: CSLCredit: CSLCastro described the attack as highly reliable and working on all Windows versions from XP to 10, as well as on Windows Server 2003 to 2016. According to the researcher, the attack is not easily noticeable, as the hacker would use regular Windows resources. However, if you want to check if your limited or guest accounts have been backdoored this way, you can check to see if their RID has been modified to "500," which is the RID for administrator accounts.

Microsoft Hasn’t Fixed the Vulnerability

Castro told ZDNet that he reached out to Microsoft, but the company was unresponsive. He also made it clear that the vulnerability has not been patched.

To put some fire under Microsoft’s feet, the researcher has already released a fully working exploit for the popular Metasploit exploit framework, which means malicious actors will soon be able to integrate this exploit into their own exploit suites and malware too.

Castro also presented the attack at several security conferences over the past several months, so chances are Microsoft is well aware about it by now. We've contacted the company for further details, and we'll update this post if we receive a response.

RID Hijacking Maintaining Access on Windows Machines Sebastin Castro

7 comments
    Your comment
  • Nintendork
    Sure, strong commitment to security then it deletes your personal data for the lulz on a broken OS.
  • derekullo
    If some one gains write access to your registry aren't you already pwned?

    Needing the user to install an infected program to then edit the registry just sounds like every other virus/trojan out there.

    Am I missing something?
  • jimmysmitty
    205977 said:
    Sure, strong commitment to security then it deletes your personal data for the lulz on a broken OS.


    A single bug does not a broken OS make. 10 is a good OS that runs fine. The bug affected a minimal amount of people and was not being actively pushed to unaware users, meaning these people all manually started the update. Microsoft pulled the update before major damage to a much larger populace happened and as well it probably would not have affected the vast majority since the vast majority do not know how or use redirected folders.

    212804 said:
    If some one gains write access to your registry aren't you already pwned? Needing the user to install an infected program to then edit the registry just sounds like every other virus/trojan out there. Am I missing something?


    No you are not missing anything. This requires quite a few things to be in play. Either they have physical access to the system and can crack or know the users password or they have to have the user install a program that gives them administrator rights to the registry. In a typical business environment the user normally should not be an administrator. Even in a personal environment the user should be a power user with a admin account they have to allow installs to happen.

    It actually sounds like a meh vulnerability. Microsoft should patch it but it is not something that I would worry about too much unless you have hackers walking around your office/house daily.