Impersonatewindows

TokenTokenKidnapping'sRevengeCesarCerrudoArgenissWhoamIWhoamIAiFddCEOArgenissFounderandCEOIhavebeenworkingonsecurityfor+8yearsIhavefoundandhelpedtofixhundredsofvulnerabilitiesinsoftwaresuchasMSWindows,MSSQLServer,OracleDatabaseServer,IBMDB2,andmanymore.
.
.
+50vulnerabilitiesfoundonMSproducts(+20onWindowsoperatingsystems)IhaveresearchedandcreatednovelattacksandexploitationtechniquesAgendaAgendaIntroductionWhatisimpersonationandwhataretokensWindowsXPand2003servicessecurityWindows7Vistaand2008servicessecurityWindows7,Vistaand2008servicessecurityTokenKidnapping'srevengetimeCliConclusionsIntroductionIntroductionIhllWidiLlInthepastallWindowsservicesranasLocalSYSTEMaccountff–Compromiseofaservice==fullsystemcompromiseThenMSintroducedNETWORKSERVICEandLOCALSERVICEaccounts–Compromiseofaservice!
=fullsystemcompromiseWindowsVista,Windows2008andWindows7introducednewprotectionsFirstTokenKidnappingissueswerefixed,butaswearegoingtoseeWindowsisstillnotperfect.
.
.
ggpWhatisimpersonationandwhataretokensImpersonationistheabilityofathreadtoexecuteusingdifferentsecurityinformationthantheprocessthatownsthethread–ACLchecksaredoneagainsttheimpersonatedusers–ImpersonationAPIs:ImpersonateNamedPipeClient(),ImpersonateLoggedOnUser(),RpcImpersonateClient()Itilbdbith–Impersonationcanonlybedonebyprocesseswith"Impersonateaclientafterauthentication"(SeImpersonatePrivilege)(pg)–WhenathreadimpersonatesithasanassociatedimpersonationtokenWhatisimpersonationandwhataretokensAccesstokenisaWindowsobjectthatdescribesthesecuritycontextofaprocessorthread–Itincludestheidentityandprivilegesoftheuseraccountassociatedwiththeprocessorthread–TheycanbePrimaryorImpersonationtokensPrimaryarethosethatareassignedtoprocessesImpersonationarethosethatcanbegetwhenimpersonationoccursimpersonationoccurs–Fourimpersonationlevels:SecurityAnonymous,SecurityIdentity,SecurityImpersonation,yy,yp,SecurityDelegationWindowsXPand2003servicessecurityServicesrununderNetworkService,LocalService,LocalSystemanduseraccounts,y–AllservicescanimpersonateFixedweaknessesFixedweaknesses–AprocessrunningunderXaccountcouldaccessprocessesrunningunderthesameXaccountpgAfterfixes–RPCSSandafewservicesthatimpersonateSYSTEMRPCSSandafewservicesthatimpersonateSYSTEMaccountarenowproperlyprotected–WMIprocessesareprotectednowWindowsVista,2008and7servicessecurityPerserviceSID(newprotection)–Nicefeature,nowserviceprocessesarereallyttdditbdprotectedanditsresourcescanbearmouredFixedweaknessesinWindowsVistaand2008–Whileregularthreadswereproperlyprotected,threadsfromthreadpoolswerenotWMIpocessesnningndeLOCALSERVICEand–WMIprocessesrunningunderLOCALSERVICEandNETWORKSERVICEwerenotprotectedAfterfixesAfterfixes–ThreadsfromthreadpoolsareproperlyprotectedWMIprocessesareprotectednow–WMIprocessesareprotectednowTokenKidnapping'srevengetimeFirstIfoundthatTapiservicehadprocesshandleswithduplicatehandlepermissionsThenIstartedtoexaminetheTapiservice–FoundweakregistrypermissionsHKLM\SOFTWARE\Microsoft\TracingHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephonyelephony–FoundlineAddProvider()API,NetworkServiceandLocalServiceaccountscanloadarbitrarydllsandLocalServiceaccountscanloadarbitrarydllsTapiservicerunsasSysteminWindows2003–FoundthatTracingfunctionalityisusedbymostFoundthatTracingfunctionalityisusedbymostservices,includingservicesrunningasSystemTokenKidnapping'srevengetimePreviousfindingsleadtootherinterestingfindingsinWindows2003g–WhenWMIisinvoked,DCOMLaunchservicereadsNetworkandLocalServiceusersregistrykeysIfvaluesarefoundthenHKCRkeysarenotusedAllowsWMIprocessprotectionbypassFinallyIcouldelevateprivilegesfromLl/NtkSiillWidiLocal/NetworkServiceinallWindowsversionsandbypassprotectionsTokenKidnapping'srevengetimeWindows2003IIS6&SQLServerexploits–BypassWMIprotectionBypassWMIprotectionWindows2008andWindows7IIS7.
5exploitsExploitweakregistrypermissions–ExploitweakregistrypermissionsRecomendationsRecomendations–OnIISdon'trunASP.
NETinfulltrustanddon'trunwebsitesunderNetworkServiceorLocalServiceaccountsaccounts–AvoidrunningservicesunderNetworkServiceorLocalServiceaccountsLocalServiceaccountsUseregularuseraccountstorunservicesRemoveUsersgroupfromRemoveUsersgroupfromHKLM\Software\Microsoft\TracingregistrykeypermissionspDisableTelephonyserviceFixesFixes–OnAugustMicrosoftisreleasingafixforHKLM\Software\Microsoft\TracingregistrykeypermissionsissueandarelatedelevationofpermissionsissueandarelatedelevationofprivilegesvulnerabilityMicrosoftisalsoreleasinganadvisorytoaddress–MicrosoftisalsoreleasinganadvisorytoaddressTAPI,WMIandsharedregistrykeysrelatedissuesConclusionsConclusionsNewWindowsversionsaremoresecurebuttherearestillsomeissueseasytofindFindingvulnerabilitiesisnotdifficultifyouknowwhattoolstouseandweretolookforOnWindowsXPandWindows2003–IfausercanexecutecodeunderNetworkServiceausecaeecutecodeudeetoSeceorLocalServiceaccountUsercanexecutecodeasSYSTEMOnWindows7,Vistaand2008–IfausercanimpersonateIfausercanimpersonateUsercanexecutecodeasSYSTEMReferencesReferencesTokenKidnappinghttp://www.
argeniss.
com/research/TokenKidnapping.
pdfImpersonateaclientafterauthenticationhttp://support.
microsoft.
com/kb/821546Accesstokenshttp://msdn2.
microsoft.
com/en-us/library/aa374909.
aspxProcessExplorerandProcessMonitorhttp://www.
sysinternals.
comAPIImpersonationFunctionshttp://msdn.
microsoft.
com/en-us/library/cc246062(PROT.
10).
aspxFinFinQuestionsQuestionsThanksContact:cesar>atdotargeniss.
com