madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

One-year-old (unpatched) Windows 'token kidnapping' under attack

By | March 16, 2009, 1:30pm PDT

Summary: Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows (including Vista and Windows Server 2008), the issue remains unpatched and now comes word that there are in-the-wild exploits circulating. The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and [...]

Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows (including Vista and Windows Server 2008), the issue remains unpatched and now comes word that there are in-the-wild exploits circulating.

The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and led to Microsoft issuing an advisory with workarounds. Five months later (October 2008), Cerrudo released a proof-of-concept in an apparent effort to nudge Microsoft into patching but the company has not yet released a fix.

Now comes word from the SANS ISC (Internet Storm Center) that the flaw is being used in a blended attack against an unknown target:

[ SEE: Where on earth are these Microsoft patches? ]

Incident handler Bojan Zdrnja discovered the token kidnapping component of the the attack while doing post-infection forensics:

  • The story started more or less like hundreds of recently seen incidents.  A web application had a vulnerability that allowed a remote attacker to upload files to the server.  As the files were not validated, the attacker was able to upload a .NET Webshell. This webshell is known as ASPXSpy, it’s an ASPX program that allows easy control over the compromised server. The attacker can now upload files through the browser and execute them.
  • However, the attacker still does not have total control over the server as the IIS service runs under an unprivileged account. This is where the local privilege escalation vulnerability comes into play.  The attackers uploaded a local exploit called Churrasco2.  This is a PoC created by a well known researcher Cesar Cerrudo and published back in October 2008.  What makes it even worse is that it work on both Windows Server 2008 and Server 2003.  The exploit creates a backdoor shell after it steals the SYSTEM token.  The program’s usage description says it all:
  • /Churrasco/–>Usage: Churrasco2.exe ipaddress port

After this, it was game over.  The attacker had a backdoor to the server running as SYSTEM.  The next steps were very obvious and included installation of another Trojan as well as a keylogger.

This is yet another example of a black-eye that Microsoft could have avoided.  To repeat, the company had notice about this issue one year ago and despite evidence of proof-of-concept code, there is not patch for affected Windows users.

It should also be said that the list of outstanding Windows flaws collecting dust is very long and continues to grow everyday.

In the absence of a patch, end users should pay attention to the workarounds/mitigations in Microsoft’s advisory.

* Image via Todd Bishop, Seattle PI.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Attacker, Server, Microsoft Corp., Attack, Microsoft Windows, Security, Operating Systems, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 75 Talkback(s)

  • MS should patch this but you do your readers a disservice by not mentioning
    MS should patch this but you do your readers a disservice by not mentioning that this requires IIS to be installed on the machine. Since the default install of Windows does not install IIS, nor are 99.9% of desktop users likely to install IIS, this is not something that desktop users have to worry about.

    Bad MS for not patching it but bad ZDNet for not specifying that this doesn't affect desktop users.
    ZDNet Gravatar
    NonZealot
    16th Mar 2009
  • Yes but..
    Anyone that utilizes IIS knows what it is, and what it does. And this article focuses more on the server side of things as the Author specifies Windows 2003 and 2008, as these often will use IIS especially if they are being used as web servers. So while there may be only a small franction of windows users that use IIS in the desktop environment, that small fraction can add up to hundreds of thousands of users.
    ZDNet Gravatar
    xXSpeedzXx
    16th Mar 2009
  • The problem appears to be limited to those sites...
    ...that are running web applications that may have vulnerabilities. IOW it doesn't appear to be a problem unless there is a vulnerability in a web application (which is a likely occurance as web apps are hard to write securely). This doesn't appear to be a problem with IIS but rather a means to elevate privileges should an attacker find a way to exploit a web app.

    Though I'm open to correction as this was a quick analysis.
    ZDNet Gravatar
    ye
    16th Mar 2009
  • Or weakness in the custom .NET code.
    In a nutshell what we were discussing on another blog a few days ago ye. .NET, by it's simplicity of deployment, makes holes in apps that much harder to find.
    ZDNet Gravatar
    914four
    17th Mar 2009
  • To MS IIS is everything.
    Try and run Exchange, sharepoint, or even FTP without it. Well, I guess you could install a third party program to do those functions without IIS but it's kinda hard with Microsoft server applications.
    ZDNet Gravatar
    tomam
    19th Mar 2009
  • Yup
    "I guess you could install a third party program to do those functions without IIS but it's kinda hard with Microsoft server applications. "
    Weird huh? What with Microsoft being so open and all?
    ZDNet Gravatar
    914four
    19th Mar 2009
  • Remote Desktop uses IIS, doesn't it?
    I had to turn it on and I don't run a web server on my desktop. Many who use the Remote Desktop feature do not run IIS as a normal practice and could be at risk.
    ZDNet Gravatar
    ThePrairiePrankster
    19th Mar 2009
  • not at least on Vista and above.
    I think you're thinking of remote administration mode for terminal services, on a Windows server OS.
    ZDNet Gravatar
    rtk
    19th Mar 2009
  • Right. More like...
    NonZealot's posts about vulnerabilities in other OSes;-)

    Sorry, is it more about apologising for MS?
    ZDNet Gravatar
    Richard Flude
    16th Mar 2009
  • Bzzt, try again!!
    Sorry, is it more about apologising for MS?

    Bzzt. While Apple apologists try to blame the victim or deny that the vulnerability exists or deny that Apple should patch it, I'm on record in my post as saying:
    Bad MS for not patching it

    I'm not apologizing for MS and MS should have patched this a year ago. However, the Apple fanatics (you included) would be all over a privilege escalation bug in the Apache version that is included in OS X if the article didn't mention that Apache had to be installed for the vulnerability to exist. Don't deny it, you know it is true. I'm merely doing the exact same thing you would be doing in that situation. The only difference is that all of you guys think that anti-MS FUD is totally okay while you foam at the mouth over anything that doesn't paint Apple in a glowing positive light. happy
    ZDNet Gravatar
    NonZealot
    16th Mar 2009
  • Spin, spin, spin
    One little sentence buried in reams of "this is no big deal because hardly
    anyone is affected" absolves you of all hypocrisy.

    Yeah, right.
    ZDNet Gravatar
    frgough
    16th Mar 2009
  • Uh oh, quote time!!
    Please quote where I said "this is no big deal". Do it now or retract your post.

    I will quote my post so the world can see how it is you who "spin, spin, spin":
    this is not something that desktop users have to worry about.

    If I am wrong about that statement, prove it. While you are trying to prove it though, please make sure you come up with an explanation for why IIS holes affect Windows desktop users but Apache holes don't affect OS X desktop users.

    If you can't, you must retract your post. If you don't do either of those, I've just exposed you as the hypocrite. happy
    ZDNet Gravatar
    NonZealot
    16th Mar 2009
  • You left off
    the trailing "but":

    "I'm on record in my post as saying:Bad MS for not patching it"

    You left off the "but ..." that immediately followed.

    "However, the Apple fanatics (you included) would be all over a
    privilege escalation bug in the Apache version that is included in OS X
    if the article didn't mention that Apache had to be installed for the
    vulnerability to exist."

    Apache is installed by default in Mac OS X so it seems a typically
    uniformed example.

    Patch reporting on ZDNet is terribly uniformed, always has been
    (remember George Ou). But your posts to Apple patch stories (not to
    mention the ZDNet headlines) are funny compared to this MS apology.

    "I'm merely doing the exact same thing you would be doing in that
    situation."

    Then why so defensive? Anyway, lest the uniformed believe
    NonZealots story relating to IIS, the unpatched token kidnapping
    vulnerability is a design problem in windows services protection
    mechanisms which leads to elevate privileges. It doesn't require IIS,
    just that this service is a great attack vector (and used in the article).

    I don't know what the big deal is, get your code executing on windows
    (or for that matter most OSes, particularly desktops) and you can
    attain any privileges you like.
    ZDNet Gravatar
    Richard Flude
    16th Mar 2009
  • Yawn, you are getting boring
    Like I said, I'm on record as saying that MS is bad for not patching it. If you choose to twist my words to create a strawman that you can later tear down, go for it! Rational people understood what I wrote.

    Apache is installed by default in Mac OS X

    Turned on and running by default? Wow, that sounds like a terrible default configuration! Oh, it isn't? Oh, the bits are on disk but they aren't running? Gee, kind of useless as an attack vector, right? Sheesh, you Apple people sure do get desperate!

    It doesn't require IIS,
    just that this service is a great attack vector

    Right, which is why 100% of Window machines get PWNED. Oh, they don't? Hmmm, wonder why?
    ZDNet Gravatar
    NonZealot
    16th Mar 2009
  • Bizarre
    I can't make any sense of your last post.

    It does appear you don't even understand the vulnerability.
    ZDNet Gravatar
    Richard Flude
    16th Mar 2009
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here