Articles‎ > ‎

Leveraging Backup Privileges

posted Dec 14, 2015, 3:59 PM by Christopher Byrd   [ updated Dec 14, 2015, 4:01 PM ]
Recently Didier Stevens wrote an interesting article and related SANS posting regarding Windows Backup Privileges. In it he presented a modified cmd.exe from ReactOS to allow asserting the backup privilege which bypasses traverse checking and file DACLs. I had looked into similar techniques as well, and his article prompted me to put together a video adding to what Didier has posted.

In addition to using a local process to access files using backup privilege, Windows supports asserting a "backup intent" over network SMB/CIFS connections. This allows someone on a remote system, using an account with backup or restore privileges, to read or write files and traverse file systems regarding of DACLs. Fortunately, there are already a couple of Linux tools (smbclient and mount.cifs) that already implement this capability. This can be extremely useful during penetration tests.  I put together a video that demonstrates this capability below.

YouTube - Leveraging Backup Privileges


Also in follow up conversations on Twitter, there was some questions raised about using this functionality with native Windows commands. I have found it is possible to do using native PowerShell (using this script) and RoboCopy with the /B option. RoboCopy allows both reading (backup) and writing (restore) files, but does not work when the parent directory is inaccessible (therefore requires copying entire folders when a parent folder is inaccessible). The following screenshot illustrates this.
Accessing files using backup privilege in PowerShell

For future consideration, it should be possible to read and write files using native PowerShell; the library SeBackupPrivilege by giuliano108 does exactly that, but uses compiled .DLLs. With a little more time and PowerShell work it should be possible to accomplish the same thing in native PowerShell. Thanks to Didier for the interesting article, and I hope you find this additional information useful.

Comments