RAITrigger – Local SYSTEM Authentication Trigger for Relaying

A low‑privileged domain user can call the RPC function RAiForceElevationPromptForCOM in appinfo.dll to trigger SYSTEM‑level authentication to an arbitrary UNC path, enabling NTLM relay or ADCS attacks in domain environments.

https://github.com/rtecCyberSec/RAITrigger/

#LPE #RelayAttack

S. Haskins and T. Stevado, "Unlocking doors from half a continent away: A relay attack against HID Seos"¹

HID Global is a major vendor of physical access control systems. In 2012, it introduced Seos, its newest and most secure contactless RFID credential technology, successfully remediating known flaws in predecessors iCLASS and Prox. Seos has been widely deployed to secure sensitive assets and facilities. To date, no published research has demonstrated a security flaw in Seos. We present a relay attack developed with inexpensive COTS hardware, including the Proxmark 3 RDV4. Our attack is capable of operating over extremely long ranges as it uses the Internet as a communications backbone. We have tested multiple real-world attack scenarios and are able to unlock a door in our lab with a card approximately 1960 km away. Our attack is covert and does not require long-term access to the card. Further, our attack is generic and is potentially applicable to other protocols that, like Seos, use ISO/IEC 14443A to communicate. We discuss several mitigations capable of thwarting our attack that could be introduced in future credential systems or as an update to Seos-compatible readers' firmware; these rely on rejecting cards that take too long to reply.

#IACR #ResearchPapers #HIDGlobal #RFID #RelayAttack #Cryptanalysis #PhysicalAccessControl #ISO14443
__
¹ https://eprint.iacr.org/2023/450