Presentation is loading. Please wait.

Presentation is loading. Please wait.

Token Kidnapping's Revenge Cesar Cerrudo Argeniss.

Published byIris Holland Modified over 7 years ago

Similar presentations

Presentation on theme: "Token Kidnapping's Revenge Cesar Cerrudo Argeniss."— Presentation transcript:

1 Token Kidnapping's Revenge Cesar Cerrudo Argeniss

2 Who am I? Argeniss Founder and CEO I have been working on security for +8 years I have found and helped to fix hundreds of vulnerabilities in software such as MS Windows, MS SQL Server, Oracle Database Server, IBM DB2, and many more... +50 vulnerabilities found on MS products (+20 on Windows operating systems) I have researched and created novel attacks and exploitation techniques

3 Agenda Introduction What is impersonation and what are tokens? Windows XP and 2003 services security Windows 7, Vista and 2008 services security Token Kidnapping's revenge time Threats scenarios Recommendations Fixes Conclusions

4 Introduction In the past all Windows services ran as Local SYSTEM account – Compromise of a service==full system compromise Then MS introduced NETWORK SERVICE and LOCAL SERVICE accounts – Compromise of a service!=full system compromise Windows Vista, Windows 2008 and Windows 7 introduced new protections First Token Kidnapping issues were fixed, but as we are going to see Windows is still not perfect...

5 What is impersonation and what are tokens? Impersonation is the ability of a thread to execute using different security information than the process that owns the thread – ACL checks are done against the impersonated users – Impersonation APIs: ImpersonateNamedPipeClient(), ImpersonateLoggedOnUser(), RpcImpersonateClient() – Impersonation can only be done by processes with “Impersonate a client after authentication” (SeImpersonatePrivilege) – When a thread impersonates it has an associated impersonation token

6 What is impersonation and what are tokens? Access token is a Windows object that describes the security context of a process or thread – It includes the identity and privileges of the user account associated with the process or thread – They can be Primary or Impersonation tokens Primary are those that are assigned to processes Impersonation are those that can be get when impersonation occurs – Four impersonation levels: SecurityAnonymous, SecurityIdentity, SecurityImpersonation, SecurityDelegation

7 Windows XP and 2003 services security Services run under Network Service, Local Service, Local System and user accounts – All services can impersonate Fixed weaknesses – A process running under X account could access processes running under the same X account After fixes – RPCSS and a few services that impersonate SYSTEM account are now properly protected – WMI processes are protected now

8 Windows Vista, 2008 and 7 services security Per service SID (new protection) – Nice feature, now service processes are really protected, unique SID assigned to process ACL Fixed weaknesses in Windows Vista and 2008 – While regular threads were properly protected, threads from thread pools were not – WMI processes running under LOCAL SERVICE and NETWORK SERVICE were not protected After fixes – Threads from thread pools are properly protected – WMI processes are protected now

9 Token Kidnapping's revenge time Demo

10 Token Kidnapping's revenge time First I found on Windows 7 that TAPI service had process handles with duplicate handle permissions Then I started to examine the TAPI service – Found weak registry permissions HKLM\SOFTWARE\Microsoft\Tracing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Te lephony – Found lineAddProvider() API, Network Service and Local Service accounts can load arbitrary dlls inside TAPI service TAPI service runs as System in Windows 2003

11 Token Kidnapping's revenge time Previous findings lead to other interesting findings in Windows 2003 – When WMI is invoked, DCOMLaunch service reads Network and Local Service users registry keys If values are found then HKCR keys are not used Allows WMI process protection bypass Finally I could elevate privileges from Local/Network Service in all Windows versions and bypass protections

12 Token Kidnapping's revenge time Windows 2003 IIS 6 exploit – Bypass WMI protection Windows 2003 IIS 6 and Windows 2008 IIS 7 exploit – Exploits lineAddProvider() API issue Windows 2008 and Windows 7 IIS 7.5 exploit – Exploits weak registry permissions

13 Threat scenarios Web hosting running IIS in default configuration, users with $5 can fully compromise the server. In-company developers that can upload ASP.NET web pages, they can fully compromise the server and from there the network SQL Server administrators (that aren't Windows administrators) can fully compromise the server Post exploitation, exploiting a less privileged service and then elevating privileges to SYSTEM

14 Recommendations – On IIS don't run ASP.NET in full trust and don't run web sites under Network Service or Local Service accounts – Avoid running services under Network Service or Local Service accounts Use regular user accounts to run services Remove permissions to Users group from HKLM\Software\Microsoft\Tracing registry key Disable Telephony service

15 Fixes – On August Microsoft released a fix for HKLM\Software\Microsoft\Tracing registry key permissions issue and a related elevation of privileges vulnerability. – Microsoft also releasing an advisory to address the TAPI lineAddProvider() issue, non-security fix. – WMI issue on Windows 2003 is not fixed yet.

16 Conclusions Windows services security model still has flaws and new protections can be bypassed Finding vulnerabilities is not difficult if you know what tools to use and were to look for On Windows XP and Windows 2003 – If a user can execute code under Network Service or Local Service account User can execute code as SYSTEM On Windows 7, Vista and 2008 – If a user can impersonate User can execute code as SYSTEM

17 References Token Kidnapping http://www.argeniss.com/research/TokenKidnapping.pdf Impersonate a client after authentication http://support.microsoft.com/kb/821546 Access tokens http://msdn2.microsoft.com/en-us/library/aa374909.aspx Process Explorer and Process Monitor http://www.sysinternals.com API Impersonation Functions http://msdn.microsoft.com/en- us/library/cc246062(PROT.10).aspx

18 Fin Questions? Thanks Contact: cesar>at dot<com Argeniss WE BREAK ANYTHING www.argeniss.com

Download ppt "Token Kidnapping's Revenge Cesar Cerrudo Argeniss."

Similar presentations

Windows Vista Security model and vulnerabilities.

Windows Vista Security model and vulnerabilities.
Token Kidnapping's Revenge Cesar Cerrudo Argeniss.

Token Kidnapping's Revenge Cesar Cerrudo Argeniss.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
27. to 28. March 2007 | Geneva, Switzerland. Fabrice Romelard ilem SA Level 200.

27. to 28. March 2007 | Geneva, Switzerland. Fabrice Romelard ilem SA Level 200.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
Cracking Windows Access Control Andrey Kolishchak www.gentlesecurity.com Hack.lu 2007.

Cracking Windows Access Control Andrey Kolishchak Hack.lu 2007.
Virtual techdays INDIA │ 18-20 august 2010 IIS 7/7.5 Tips & Tricks Jaskirat Singh │ Technical Lead [IIS|Asp.Net team], Microsoft.

Virtual techdays INDIA │ august 2010 IIS 7/7.5 Tips & Tricks Jaskirat Singh │ Technical Lead [IIS|Asp.Net team], Microsoft.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Deployment of web Site. Preparing the web site for deployment you now have two versions of web site 1 -one running in the production environment 2-one.

Deployment of web Site. Preparing the web site for deployment you now have two versions of web site 1 -one running in the production environment 2-one.

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.

Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.

Similar presentations

Ads by Google