Windows token kidnapping returns to haunt Microsoft

A security researcher plans to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7.
Written by Ryan Naraine, Contributor

Microsoft's problems with Token Kidnapping [.pdf] on the Windows platform aren't going away anytime soon.

More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7. Cesar Cerrudo, founder and CEO of Argeniss, a security consultancy firm based in Argentina, first reported the token kidnapping hiccup to Microsoft in 2008 and after waiting in vain for a patch, he released the details during the Month of Kernel Bugs project.

The flaw would eventually be exploited in active attacks, leading to a mad scramble at Redmond to come up with a fix and a subsequent disclosure flap that exposed Microsoft as the irresponsible party.

This year, Cerrudo plans a new talk titled "Token Kidnapping's Revenge" where he will discuss how attackers can even bypass certain Windows services protections.

[ One-year-old (unpatched) Windows 'token kidnapping' under attack ]

In an interview with Threatpost, Cerrudo said the presentation will discuss about a half-dozen vulnerabilities in all Windows versions from XP to Windows 7 that can be exploited to elevate privileges by any user with impersonation rights.

The explanation:

Most Windows services accounts have impersonation rights. Because impersonation rights are needed these are not critical, high risk vulnerabilities, regularWindows users can't exploit them. Some applications are more susceptible to exploitation of these vulnerabilities than others, for instance, if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in default configuration you will be able to fully compromise the Windows server.

For example, if you are an SQL Server administrator (which is not a Windows administrator) you can exploit these vulnerabilities from SQL Server and fully compromise the Windows server.

[ Responsible disclosure, the Microsoft way ]

Cerrudo said the vulnerabilities can be exploited to bypass new Windows services protection to help in post-exploitation scenarios too where an attacker is able to run code after exploiting a vulnerability in a Windows service but he is not able to compromise the whole system due to these protections.

One of the issues Cerrudo plans to present at Black Hat even allows him to bypass one of the Microsoft's fixes for previous Token Kidnapping vulnerabilities on Windows 2003.

Where on earth are these Microsoft patches? ]

"Microsoft is aware of these issues (and other local privilege elevation issue that can be exploited by any user but I won't be talking about it before the fix) and they will be releasing fixes and advisories in August," Cerrudo explained.

The researcher also plans to release two exploits (called Chimichurri and Churraskito) for IIS and SQL Server.  These exploits could work on other services too with some minor modifications, he said.

"The presentation is not only about the vulnerabilities and the exploits. I will be showing step by step how I found the vulnerabilities, with what tools and techniques, so participants can learn and walk away knowing how to find these kind of vulnerabilities by themselves," Cerrudo added.

* Image via Todd Bishop.

Editorial standards