Credit: CSLSebastián Castro, a security researcher from Colombia working for the CSL security company, has found a Windows vulnerability that could allow an attacker to install a permanent backdoor in users' systems. The researcher said Microsoft is yet to fix this flaw.
Windows RID Hijacking
Castro found that the Relative Identifier (RID) that is assigned to Windows user accounts to describe their respective permission group could be modified with a simple registry change. Attackers could use the technique to gain administrative privileges and take control of the user’s system.
Attackers can’t make this change remotely, unless the user’s PC is somehow already exposed to attacks from the internet via open and non-secure ports or if the attackers already gained remote access to the system via malware.
However, if the hackers can brute force a user’s account password or get the user to install an infected file via email or some other medium, then they can gain a permanent backdoor with full system access.
Credit: CSLCastro described the attack as highly reliable and working on all Windows versions from XP to 10, as well as on Windows Server 2003 to 2016. According to the researcher, the attack is not easily noticeable, as the hacker would use regular Windows resources. However, if you want to check if your limited or guest accounts have been backdoored this way, you can check to see if their RID has been modified to "500," which is the RID for administrator accounts.
Microsoft Hasn’t Fixed the Vulnerability
Castro told ZDNet that he reached out to Microsoft, but the company was unresponsive. He also made it clear that the vulnerability has not been patched.
To put some fire under Microsoft’s feet, the researcher has already released a fully working exploit for the popular Metasploit exploit framework, which means malicious actors will soon be able to integrate this exploit into their own exploit suites and malware too.
Castro also presented the attack at several security conferences over the past several months, so chances are Microsoft is well aware about it by now. We've contacted the company for further details, and we'll update this post if we receive a response.