Local Windows Admins Can Hijack Sessions Without Credentials

Exterminator

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
A researcher has exposed how attackers with local admin privileges could use native command-line Windows tools to hijack other users’ sessions without credentials.

Researcher Alexander Korznikov on Friday published a report in which he describes how he could, locally and remotely via Remote Desktop Protocol (RDP), access other users’ sessions—even sessions that have been disconnected for some time—with one command.

Korznikov said an attacker could access domain admin sessions, read documents, and access systems, cloud domains or applications (email, Notepad, others) that the user has previously logged in to. He said he tested his attack on Windows 2012 and Windows 2008 servers, as well as Windows 10 and Windows 7 and all that is required is the NT AUTHORITY/SYSTEM command line, or to create a service that will connect a session back to the attacker’s.
“Someone can say, ‘If you are admin, you can dump a server’s memory and parse it.’ That’s correct, but you don’t need it any more,” Korznikov told Threatpost. “Just two simple commands and you are in. The most incredible thing is that I don’t need to know the credentials of the hijacked user. It is pure password-less hijacking.”

Researcher Kevin Beaumont, meanwhile, published a separate report essentially confirming Korznikov’s work adding that by running the tscon.exe command as the SYSTEM user, an attacker could also connect to any session without a password.

“It doesn’t prompt, it just connects you to the user’s desktop. I believe this is due to the way session shadowing was implemented in Microsoft Windows, and it runs throughout the years like this,” Beaumont wrote.

Beaumont said that his and Korznikov’s research could bypass the work required to dump server memory and parse for passwords; this provides instant access to the target’s desktop without leaving artifacts in a log or needing to use external tools such as Metaspoit.

“This isn’t about SYSTEM — this is about what you can do with it very quickly, and quietly. Attackers aren’t interested in playing, they’re interested in what they can do with techniques. This is a very valid technique,” Beaumont wrote. “So, you have full blown RDP session hijacking, with a single command.”

Korznikov said he confirmed with Benjamin Delpy, who six years ago disclosed similar findings, that this was a Windows feature and not a vulnerability, but that does not discount the attack value of the situation, he said. Microsoft, for its part, is unlikely to patch this.

“The issue described in the report is not a security vulnerability as it requires local administrator rights on the machine,” a Microsoft spokesperson told Threatpost.

Korznikov said he did not disclose his findings to Microsoft prior to publication of his report last week because it was a design flow issue, out of scope for its bug bounties, and that he did not want to wait “six months until resolution for a CVE.”

“If you are admin, you can do everything. But here is the point: why and how you become admin? If some unprivileged user becomes admin using some kind of local privilege escalation, that’s the problem—and not the design flow—we are talking about,” Korznikov said. “You can do everything, even patch terminal services in a way that it will accept your token and allow shadowing mode, without a user’s knowledge.”
Click to expand...



 
  • Like
Reactions: Huchim, LASER_oneXM, harlan4096 and 2 others
L

larry goes to church

Level 3
Verified
Mar 10, 2017
103
And you just gave me another entry in the "Labs to do" notebook.

The fact that you can bypass authentication and get the full session is incredible


Edit: Although while you wouldn't be able to act on behalf as a local admin you would be able to see all their data regardless.

Still post exploitation this is valuable if you can scoop up some local creds.
 
  • Like
Reactions: LASER_oneXM
S

soccer97

Level 11
Verified
May 22, 2014
517
This highlights another User authentication issue.

I recently read a discussion that mentioned using netplwiz and choosing to require users to press Ctrl + Alt + Del to login. This "Guarantees that an authentic Windows sign in screen appears before users enter their credentials" - Per the description

-Another level of system hardening.
 
D

Deleted member 178

This is how OSes functions , admins are gods in the system , if the admin account is compromised , which shouldn't in the first place, nothing much to do.
If you are admin, you can do everything. But here is the point: why and how you become admin? If some unprivileged user becomes admin using some kind of local privilege escalation, that’s the problem—and not the design flow—we are talking about
Click to expand...
 
  • Like
Reactions: Huchim
You must log in or register to reply here.

Similar threads

Bot
    • Like
Security News E-Root Marketplace Admin Sentenced to 42 Months for Selling 350K Stolen Credentials
Replies
0
Views
721
Security News
Bot
Bot
CyberTech
    • Like
New Update Firefox is getting a button to Reset Private Browsing Sessions
Replies
1
Views
545
Firefox
Ink
Ink
silversurfer
    • Like
    • +Reputation
Malware News New JavaScript Malware Targeted 50,000+ Users at Dozens of Banks Worldwide
Replies
2
Views
961
Security News
nicolaasjan
nicolaasjan

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top