Security expert warns of 'token kidnapping' threat

IT professionals and hosting providers have been warned of a vulnerability that affects multiple Windows systems
Written by Tom Espiner, Contributor

Hosting providers and IT professionals have been warned of a threat posed to Microsoft IIS web servers through exploitation of vulnerabilities in Microsoft operating systems.

The vulnerability, known as "token kidnapping", is a technique for the elevation of privileges on Windows operating systems. The proof-of-concept for the technique was developed by Cesar Cerrudo, chief executive of security company Argeniss. It exploits weaknesses that affect Windows Server 2003 and 2008, as well as Windows XP and Vista.

The technique works by elevating privileges through exploiting accounts on IIS servers that have rights to impersonate a client after authentication, Cerrudo told ZDNet.co.uk. Impersonation is the ability of a thread to execute using different security information than the process that owns the thread. The accounts can be exploited by "kidnapping" the token, an object that describes the security context of a process or thread.

"On Windows XP and Server 2003 it's possible to elevate privileges from any Windows account that has impersonation rights," wrote Cerrudo. "Usually Windows services and Internet Information Services websites have this privilege. This means that in these operating systems if a user can upload an ASP [active server pages] or ASP.NET web page and run it then the user can fully compromise the operating system."

While with Windows Vista and Windows Server 2008 it's only possible to elevate privileges from network service and local service Windows accounts, Cerrudo claimed that Windows services and Internet Information Services websites usually run under these accounts, leaving systems open to attack.

The vulnerabilities can be "easily exploited" said Cerrudo. To mitigate risks he said, ASP.NET should not be run in full-trust mode on IIS 6, and if ASP is enabled then users should not be allowed to execute binaries.

On IIS 7, ASP.NET should not be run in full-trust mode, while websites and services should not be run under network service or local service accounts. "It's preferable to use regular user accounts to run services and web sites," Cerrudo added.

Cerrudo presented a paper detailing "token kidnapping" at the Microsoft BlueHat security event earlier in May.

Editorial standards