Abusing SeLoadDriverPrivilege for Privilege Escalation

In the complex world of Windows security, understanding the permissions and privileges granted to various services and user accounts is crucial. One such privilege, SeLoadDriverPrivilege, plays a significant role in how the operating system handles device drivers.

What is SeLoadDriverPrivilege?

SeLoadDriverPrivilege is a specific permission in Windows that grants a service the ability to load and unload device drivers. While this might sound straightforward, it has far-reaching implications, particularly in the context of security. This privilege allows users to install and remove drivers for Plug and Play devices, which are essential for the seamless operation of various hardware components.

However, this capability isn't without risk. When this privilege is assigned to user accounts without proper administrative permissions, it opens the door to local privilege escalation attacks—a type of security breach where a user with limited access gains elevated privileges on the system.

Identifying SeLoadDriverPrivilege

In this tutorial, we'll focus on the "Load and unload device drivers" privilege escalation technique. We'll start by identifying if a user has been assigned this privilege, and then proceed with a demonstration of how it can be exploited.

Step 1: Check User Privileges

To check if a user has the SeLoadDriverPrivilege, you can use the whoami command with the /priv flag. This command displays the privileges assigned to the current user account.

whoami /all

The output of this command displays the user’s information, including groups and privileges. Under the privileges section, you can verify if the user has been assigned the "Load and unload device drivers" privilege. If this privilege is enabled, it can be leveraged to exploit SeLoadDriverPrivilege.

Step 2: Elevating Privileges

To perform privilege escalation, we need to compile two critical files:

The ExploitCapcom.cpp exploit allows you to obtain a shell with SYSTEM-level privileges. Additionally, we will load a malicious kernel driver, Capcom.sys, to facilitate the attack.

For a detailed guide on this vulnerability and its proof of concept, check out this article.

Step 3: Executing the Exploit

After compiling the necessary files, you need to modify the netcat.bat script and place all the required files in the C:\temp directory. Then, execute the following commands in PowerShell:

.\EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\temp\capcom.sys
.\ExploitCapcom_modded.exe

Ensure your Netcat listener is up and running (using nc -lvnp). This will allow you to establish a connection from the remote machine to your shell.

Conclusion

To mitigate the risks associated with SeLoadDriverPrivilege, domain administrators should exercise caution when assigning this privilege. It should not be granted to any user or group other than administrators on member servers. On domain controllers, this privilege should be restricted to Domain Admins only.