Feature or flaw? How to hijack a Windows account in less than a minute
A security researcher has published a way to gain the highest level of a network's access -- without needing a password.
Alexander Korznikov said in a blog post that a privileged user, such as a local administrator with system rights and permissions, can use built-in command line tools to hijack the session of another logged-in user who has higher privileges.
He said that if that other logged-in user is a domain administrator, it's possible to hijack their session, giving that local administrator full access to the network, including domain services.
Using this technique will boot the hijacked user from their session without warning, he said.
Korznikov said that his technique doesn't always have to be used to gain access to an account with higher privileges -- it can also be used by system administrators to gain access to lower accounts, which may not have wider system or network access but works with highly-sensitive company programs or corporate databases.
He explained, (edited for clarity):
"A bank employee has access to a billing system and its credentials to log in. One day, he logs in to the billing system, and starts work. At lunch time, he will lock his workstation. Then the system administrator logs in with his account to the employee's workstation. According to the bank's policy, the administrator should not have access to the billing system, but with couple of built-in commands in Windows, the administrator can hijack the employee's desktop, which is still locked. Now, the administrator can perform malicious actions in the billing system as the employee's account."
All it takes is about is about a half-minute of work, according to his proof-of-concept video.
Korznikov called the issue a "high risk vulnerability," but even by his own admission, he's not sure if it's a feature in Windows, or a serious flaw.
Microsoft's own documentation explains the scope and limitations of the command line tools used in his report, which says the tool should fail when a user fails to enter a password, but Korznikov said he disputes this.
Security researcher Kevin Beaumont confirmed the bug in a tweet, saying it was "very easy" to hijack accounts.
Korznikov said he tested the bug on Windows 7, Windows 10, and Windows Server 2008 and Windows Server 2012 R2, but Beaumont said it works on every supported version of Windows.
But Korznikov hasn't reported the issue to Microsoft.
"Everything is done with built-in commands," he says. "Every admin can impersonate any logged in user either locally with physical access or remotely via Remote Desktop," he said.
"Unfortunately, I don't know if there some kind of patch and I don't know what recommendations there could be," said Korznikov. "Reporting to Microsoft can take six month until [the] issue is resolved, I wanted to notify everyone about that as soon as possible," he said.
Korznikov's discovery isn't unique to him. Other security researchers, namely Benjamin Delpy, wrote a similar description of the session hijacking bug back in 2011 (in French).
A Microsoft spokesperson said that the purported flaw "is not a security vulnerability as it requires local admin rights on the machine."