Local Windows Admins Can Hijack Sessions Without Credentials

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A researcher has exposed how attackers with local admin privileges could use native command-line Windows tools to hijack other users’ sessions without credentials.

Researcher Alexander Korznikov on Friday published a report in which he describes how he could, locally and remotely via Remote Desktop Protocol (RDP), access other users’ sessions—even sessions that have been disconnected for some time—with one command.

Korznikov said an attacker could access domain admin sessions, read documents, and access systems, cloud domains or applications (email, Notepad, others) that the user has previously logged in to. He said he tested his attack on Windows 2012 and Windows 2008 servers, as well as Windows 10 and Windows 7 and all that is required is the NT AUTHORITY/SYSTEM command line, or to create a service that will connect a session back to the attacker’s.
“Someone can say, ‘If you are admin, you can dump a server’s memory and parse it.’ That’s correct, but you don’t need it any more,” Korznikov told Threatpost. “Just two simple commands and you are in. The most incredible thing is that I don’t need to know the credentials of the hijacked user. It is pure password-less hijacking.”

Researcher Kevin Beaumont, meanwhile, published a separate report essentially confirming Korznikov’s work adding that by running the tscon.exe command as the SYSTEM user, an attacker could also connect to any session without a password.

“It doesn’t prompt, it just connects you to the user’s desktop. I believe this is due to the way session shadowing was implemented in Microsoft Windows, and it runs throughout the years like this,” Beaumont wrote.

Beaumont said that his and Korznikov’s research could bypass the work required to dump server memory and parse for passwords; this provides instant access to the target’s desktop without leaving artifacts in a log or needing to use external tools such as Metaspoit.

“This isn’t about SYSTEM — this is about what you can do with it very quickly, and quietly. Attackers aren’t interested in playing, they’re interested in what they can do with techniques. This is a very valid technique,” Beaumont wrote. “So, you have full blown RDP session hijacking, with a single command.”

Korznikov said he confirmed with Benjamin Delpy, who six years ago disclosed similar findings, that this was a Windows feature and not a vulnerability, but that does not discount the attack value of the situation, he said. Microsoft, for its part, is unlikely to patch this.

“The issue described in the report is not a security vulnerability as it requires local administrator rights on the machine,” a Microsoft spokesperson told Threatpost.

Korznikov said he did not disclose his findings to Microsoft prior to publication of his report last week because it was a design flow issue, out of scope for its bug bounties, and that he did not want to wait “six months until resolution for a CVE.”

“If you are admin, you can do everything. But here is the point: why and how you become admin? If some unprivileged user becomes admin using some kind of local privilege escalation, that’s the problem—and not the design flow—we are talking about,” Korznikov said. “You can do everything, even patch terminal services in a way that it will accept your token and allow shadowing mode, without a user’s knowledge.”



 

larry goes to church

Level 3
Verified
Mar 10, 2017
103
And you just gave me another entry in the "Labs to do" notebook.

The fact that you can bypass authentication and get the full session is incredible


Edit: Although while you wouldn't be able to act on behalf as a local admin you would be able to see all their data regardless.

Still post exploitation this is valuable if you can scoop up some local creds.
 
  • Like
Reactions: LASER_oneXM

soccer97

Level 11
Verified
May 22, 2014
517
This highlights another User authentication issue.

I recently read a discussion that mentioned using netplwiz and choosing to require users to press Ctrl + Alt + Del to login. This "Guarantees that an authentic Windows sign in screen appears before users enter their credentials" - Per the description

-Another level of system hardening.
 
D

Deleted member 178

This is how OSes functions , admins are gods in the system , if the admin account is compromised , which shouldn't in the first place, nothing much to do.
If you are admin, you can do everything. But here is the point: why and how you become admin? If some unprivileged user becomes admin using some kind of local privilege escalation, that’s the problem—and not the design flow—we are talking about
 
  • Like
Reactions: Huchim

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top