Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft Windows Improper Token Validation

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft Windows Improper Token Validation
Date: 11 Jan 2005 13:10:58 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Windows Improper Token Validation
------------------------------------------------------------------------


SUMMARY

A local privilege elevation vulnerability exists on the Windows operating 
systems' Access Token validation mechanism. This vulnerability allows any 
user to take complete control over the system and affects Windows 2000, 
Windows XP, and Windows 2003 (all service packs).

DETAILS

According to MSDN:
"An access token is an object that describes the security context of a 
process or thread. The information in a token includes the identity and 
privileges of the user account associated with the process or thread. When 
a user logs on, the system verifies the user's password by comparing it 
with information stored in a security database. If the password is 
authenticated, the system produces an access token. Every process executed 
on behalf of this user has a copy of this access token.

The system uses an access token to identify the user when a thread 
interacts with a securable object or tries to perform a system task that 
requires privileges. Access tokens contain the following information:

 - The security identifier (SID) for the user's account
 - SIDs for the groups of which the user is a member
 - A logon SID that identifies the current logon session
 - A list of the privileges held by either the user or the user's groups
 - An owner SID
 - The SID for the primary group
 - The default DACL that the system uses when the user creates a securable 
object without specifying a security descriptor
 - The source of the access token
 - Whether the token is a primary or impersonation token
 - An optional list of restricting SIDs
 - Current impersonation levels
 - Other statistics

Every process has a primary token that describes the security context of 
the user account associated with the process. By default, the system uses 
the primary token when a thread of the process interacts with a securable 
object. Moreover, a thread can impersonate a client account. Impersonation 
allows the thread to interact with securable objects using the client's 
security context. A thread that is impersonating a client has both a 
primary token and an impersonation token."

Microsoft introduced a new user right called "Impersonate a client after 
authentication" in Windows 2000 SP4, Windows 2003, and Windows XP SP2. 
This right allows or limits the processes ran by a user from being able to 
impersonate. For instance, if a process thread running in the security 
context of a user without proper rights tries to impersonate, then it gets 
an Identity Token instead of an Impersonation Token. An Identity Token 
only identifies the user account under which the target process is running 
and can not be used for impersonation. An Identity Token can also be 
retrieved by a thread in order to identify the user account under which a 
process is running. Under certain circumstances this Identity Token can be 
used to impersonate any process thread running under any user account.

The attack vector identified is to impersonate a victim using Identity 
Tokens to access network shares using UNC. For instance, after a thread 
gets an Identity Token for the Local System account or an administrative 
account, the token can be used to impersonate and access administrative 
shares such as \\computername\c$ and to replace system files such as .exe, 
dll, etc... This allows an attacker to elevate privileges or to read 
arbitrary files bypassing permissions. Also, network shares on other 
computers can be accessed in the same way. For instance, user JohnDoe's 
Identity Token can access \\remotepc\someshare\ for which the user JohnDoe 
has permissions but the attacker does not. The attack succeeds because 
apparently that user's credentials are cached by the LSASS (Local Security 
Authority Subsystem Service) after successfully authenticating to a 
network share by standard methods. Then when the share is accessed again, 
the LSASS assumes an Identity Token is an Impersonation token and uses the 
cached credentials to authenticate.

This vulnerability is critical for servers using Terminal Services (or 
Citrix) because a user could impersonate any other user to access network 
shares.

Links:
 
<http://msdn.microsoft.com/library/en-us/secauthz/security/client_impersonation.asp>
 
http://msdn.microsoft.comlibrary/en-us/secauthz/security/client_impersonation.asp
 
<http://msdn.microsoft.com/library/en-us/secauthz/security/access_tokens.asp> 
http://msdn.microsoft.comlibrary/en-us/secauthz/security/access_tokens.asp
 <http://support.microsoft.com/kb/821546/en-us> 
http://support.microsoft.com/kb/821546/en-us
 
<http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/647.asp>
 
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/647.asp

Solution:
See solution provided at:  
<http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx> 
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx


ADDITIONAL INFORMATION

The information has been provided by  <mailto:vrathod@appsecinc.com> Team 
SHATTER (Application Security, Inc.).
The original article can be found at:  
<http://www.appsecinc.com/resources/alerts/general/06-0001.html> 
http://www.appsecinc.com/resources/alerts/general/06-0001.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft Windows Improper Token Validation, SecuriTeam <=
Previous by Date:  [EXPL] Windows LSASS Exploit Code (MS04-044), SecuriTeam
Next by Date:  [NEWS] Multi-Vendor AntiVirus Gateway Image Inspection Bypass (data:), SecuriTeam
Previous by Thread:  [EXPL] Windows LSASS Exploit Code (MS04-044), SecuriTeam
Next by Thread:  [NEWS] Multi-Vendor AntiVirus Gateway Image Inspection Bypass (data:), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]