Windows token kidnapping returns to haunt Microsoft

Windows token kidnapping returns to haunt Microsoft

Summary: A security researcher plans to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7.

SHARE:

Microsoft's problems with Token Kidnapping [.pdf] on the Windows platform aren't going away anytime soon.

More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7.

Cesar Cerrudo, founder and CEO of Argeniss, a security consultancy firm based in Argentina, first reported the token kidnapping hiccup to Microsoft in 2008 and after waiting in vain for a patch, he released the details during the Month of Kernel Bugs project.follow Ryan Naraine on twitter

The flaw would eventually be exploited in active attacks, leading to a mad scramble at Redmond to come up with a fix and a subsequent disclosure flap that exposed Microsoft as the irresponsible party.

This year, Cerrudo plans a new talk titled "Token Kidnapping's Revenge" where he will discuss how attackers can even bypass certain Windows services protections.

[ One-year-old (unpatched) Windows 'token kidnapping' under attack ]

In an interview with Threatpost, Cerrudo said the presentation will discuss about a half-dozen vulnerabilities in all Windows versions from XP to Windows 7 that can be exploited to elevate privileges by any user with impersonation rights.

The explanation:

Most Windows services accounts have impersonation rights. Because impersonation rights are needed these are not critical, high risk vulnerabilities, regularWindows users can't exploit them. Some applications are more susceptible to exploitation of these vulnerabilities than others, for instance, if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in default configuration you will be able to fully compromise the Windows server.

For example, if you are an SQL Server administrator (which is not a Windows administrator) you can exploit these vulnerabilities from SQL Server and fully compromise the Windows server.

[ Responsible disclosure, the Microsoft way ]

Cerrudo said the vulnerabilities can be exploited to bypass new Windows services protection to help in post-exploitation scenarios too where an attacker is able to run code after exploiting a vulnerability in a Windows service but he is not able to compromise the whole system due to these protections.

One of the issues Cerrudo plans to present at Black Hat even allows him to bypass one of the Microsoft's fixes for previous Token Kidnapping vulnerabilities on Windows 2003.

Where on earth are these Microsoft patches? ]

"Microsoft is aware of these issues (and other local privilege elevation issue that can be exploited by any user but I won't be talking about it before the fix) and they will be releasing fixes and advisories in August," Cerrudo explained.

The researcher also plans to release two exploits (called Chimichurri and Churraskito) for IIS and SQL Server.  These exploits could work on other services too with some minor modifications, he said.

"The presentation is not only about the vulnerabilities and the exploits. I will be showing step by step how I found the vulnerabilities, with what tools and techniques, so participants can learn and walk away knowing how to find these kind of vulnerabilities by themselves," Cerrudo added.

* Image via Todd Bishop.

Topics: Operating Systems, Microsoft, Security, Servers, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

42 comments
Log in or register to join the discussion
  • RE: Windows token kidnapping returns to haunt Microsoft

    Sounds too complicated for anyone to really exploit. You already have to be given privileges on the server before you can run exploit code. I will applaud this guy for having morals and waiting until after the patches are released before talking about it. Ormandy could learn quite a bit from this guy on reporting possible vulnerabilities and how to work with Microsoft when one is found. Til then Ormandy should be shunned as well as Google for not firing him for his actions.
    Loverock Davidson
    • Unskilled and unaware of it

      That's the beauty of the <i>Dunning-Kruger effect</i>, it allows you to still feel happy about yourself despite having so little intellectual horsepower to rely on.
      OS Reload
      • RE: Windows token kidnapping returns to haunt Microsoft

        @OS Reload
        I have never heard a diagnosis of LD's neurosis put so succinctly.
        Viva la crank dodo
      • We're very much aware of it as we see it in...

        @OS Reload: ...everyone of your posts.
        ye
      • RE: Windows token kidnapping returns to haunt Microsoft

        @OS Reload

        [i]That's the beauty of the Dunning-Kruger effect, it allows you to still feel happy about yourself despite having so little intellectual horsepower to rely on. [/i]

        Actually, it sounds a lot like you.
        Hallowed are the Ori
      • Well said, @OS Reload

        Lovey Dovey is like the Eveready bunny. He'll keep ticking into walls and more walls.
        ahh so
      • RE: Windows token kidnapping returns to haunt Microsoft

        @OS Reload Thanks for sharing. i really appreciate it that you shared with us such a informative post..
        <a href="http://www.nationhighschool.com/">Online High School Diploma</a> <a href="http://www.nationhighschool.com/ged.asp">Online GED</a> <a href="http://www.nationhighschool.com/home-schooling.asp">Homeschool Diploma</a>
        disturbforce
      • RE: Windows token kidnapping returns to haunt Microsoft

        @OS Reload I will forward this article to him. Pretty sure he will have a good read. Thanks for sharing!
        <a href="http://www.nationhighschool.com/eligibility/">Earn Diploma</a> <a href="http://www.nationhighschool.com/accreditation/">Accredited High School Diploma</a>
        disturbforce
      • RE: Windows token kidnapping returns to haunt Microsoft

        @OS Reload The first poster above <a href="http://www.onlineeducationfacts.com/online-education-facts/adison-high-school.htm">adison high school</a> could do well to ponder your last paragraph.<a href="http://www.ask.com/questions-about/Almeda-University">almeda university</a>
        nestdrive
      • RE: Windows token kidnapping returns to haunt Microsoft

        @OS Reload the vulnerability wasn't found until the patch is ready unless forced to admit otherwise. <a href="http://www.olwauniversity.com/">Online University</a>
        disturbforce
      • RE: Windows token kidnapping returns to haunt Microsoft

        I am glad to came here! <a href="http://www.hmsportsmall.com/nike-air-max-shoes-c-392.html">Nike Air Max cheap</a>
        zdnet110119
    • RE: Windows token kidnapping returns to haunt Microsoft

      @Loverock Davidson

      actually, you have some privileges on any IIS webserver you connect to. find a flaw in IIS allowing you remote code execution, and you could chain to this to elevate your privileges from anonymous web visitor to local administrator. very difficult now, but still possible

      if you find a free web hosting service running IIS that allows scripts in free account pages, it is much easier as you have permission to upload code that it will execute rather than having to compromise it externally first

      to a malicious hacker, it isn't that hard once the chinks in the armor are found, and Microsoft has a bad habit of pretending the vulnerability wasn't found until the patch is ready unless forced to admit otherwise.
      erik.soderquist
      • sanity at last

        @erik.soderquist well put. The first poster above could do well to ponder your last paragraph.
        pgit
      • RE: Windows token kidnapping returns to haunt Microsoft

        @erik.soderquist
        "bad habit of pretending the vulnerability wasn't found until the patch is ready unless forced to admit otherwise"
        From a security aspect, it would be folly for MS to publicise a security issue that is not already widely known to hackers until it is fixed. Equally, the fix should be made as soon as practical - and there is then no harm in publicising how long that particular fix took. However, the time this takes MS is clearly a plicy decision by Redmond - if malware protection companies can provide safety fixes, then MS could in principle do the same thing much better and as quickly (not only the extent of their resources - MS can also modify the internal code when this is safe). So this is simply an issue of hiding behind legal gets-out in order to shirk legitimate responsibility.
        In the case of Ormandy, he was reporting a problem that had already been exploited for an extended period - and Redmond had apparently ignored.
        shtromer
      • RE: Windows token kidnapping returns to haunt Microsoft

        @shtromer

        personally i'm entirely in favor of full disclosure rather than "responsible disclosure". just because an exploit has not been [i]detected[/i] in the wild doesn't mean it doesn't exist and isn't being used... it only means we don't know about it yet. if i know the vulnerability is there without a fix, i can still look into mitigating actions to reduce the potential exposure the vulnerability causes until a fix is ready.

        however, i'm not as concerned about hiding the problem until a fix is ready if it isn't already in the wild as i am about the inaccuracies in some of Microsoft's reports. it has been documented that Microsoft has put fixes in without clearly documenting that they are even there, as well as misrepresenting the discovery time/date of some vulnerabilities that have been reported to them. i would much prefer to have the complete list of fixes in a particular patch than a partial list and not know that something critical to my operations was left unpatched because Microsoft didn't acknowledge the vulnerability was there to be patched. i would also much prefer to have the vulnerability public even without a fix so i can take mitigating actions.

        personal opinion: if the vulnerability is serious enough that it being made public caused a scramble to release a fix, it should be considered serious enough to scramble to release a fix without it being public

        i'm sorry i don't have the references handy for this, i'm responding in a hurry while i have a connection at all.
        erik.soderquist
      • RE: Windows token kidnapping returns to haunt Microsoft

        @erik.soderquist great article.. I really liked it... I have reading this article is awesome so good work keep working... <a href="http://www.allwritingsource.co.uk/">Custom Writing Services UK</a> || <a href="http://www.allwritingsource.co.uk/essay-writing-service.php">Essay Writing</a> || <a href="http://www.allwritingsource.co.uk/write-my-essay.php">Write My Essay</a> || <a href="http://www.allwritingsource.co.uk/essay-help.php">Essay Help</a>
        adokadrik
    • RE: Windows token kidnapping returns to haunt Microsoft

      duh your one to give advice
      Altotus
    • 2complicated

      @Loverock Davidson "Sounds too complicated for anyone to really exploit"

      Ummmm.... but it's not _anyone_ it really only need be ONE person to write the code, the rest could be script kiddies using exploit kits.
      brunerd
  • Sounds complicated to exploit, and to fix without breaking something

    I might be inclined to cut MS a bit of slack on the assumption that regression testing on 5 platforms XP,Vista, 2003, 2008 and Win 7 will take some time.

    Some of these "security researchers" are walking a very fine line between "researching" and IT terrorism for economic gain.
    croberts
    • RE: Windows token kidnapping returns to haunt Microsoft

      @croberts Well, the article is actually the sweetest topic on this related issue. <a href="http://www.protopage.com/ways-to-make-money-from-home">Ways to make money from home</a>,<a href="http://www.protopage.com/food-lovers-fat-loss-system">Food lovers fat loss system</a>,<a href="http://www.protopage.com/dotties-weight-loss-zone">Dotties Weight Loss Zone</a>
      Jack19801