< NULLCON 2025 - BERLIN />

About the Speaker

GO BACK
img
Rotem Salinas
Senior Security Researcher CyberArk Labs
img
Philip Tsukerman
Vulnerability Researcher CyberArk

< Talk Title />

LPEPM - Tricking Microsoft EPM To Do Our Bidding

< Talk Category />

Technical Speakers

< Talk Abstract />

In this session we will venture into the internals of Microsoft EPM, and explain how elevation policy enforcement should ensure that only the tasks permitted by it can be executed with high privileges. Additionally, we will present several vulnerabilities that allow attackers to elevate arbitrary code.

Microsoft EPM is an Endpoint Privilege Management solution that allows unprivileged users to run specific applications, according to an enterprise-defined policy, as highly privileged accounts.

This approach allows organizations to escape the “Everyone’s a local admin trap” while still allowing users to perform their daily tasks that need elevated privileges.

We will take a look at what could go wrong, and present and demonstrate several vulnerabilities that we found in this product which could allow an adversary to take the leap from a low-privileged user to arbitrary code-execution as an admin.

Our session will cover our process of Reverse-Engineering the EPM binaries to find the 1st vulnerability and then patch-diffing and re-analyzing the code to bypass the patch using several methods to resurrect the vulnerability after it was patched.

We will also share additional design-issues which could also allow attackers to escalate their privileges.

Finally, we will discuss the difficulty of designing and implementing an LPE-resistant EPM solution, and the various pitfalls and challenges of doing so.
 

< Speaker Bio />

Rotem Salinas

Rotem is a Senior Security Researcher in CyberArk Labs' Vulnerability Research Team. His work focuses on finding exploitable bugs in various OSs, Device Drivers, Browsers, Applications and anything low-level.

Philip Tsukerman

Several years ago, Philip decided that computers are in fact really cool, and that he wants to spend a lot of time breaking and protecting them. Computers, on the other hand, don’t share a similar sentiment about Philip, and frankly consider him to be a bit of a nerd. He is currently employed as a vulnerability researcher at Cyberark.