Jump to content

Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Sign in to follow this  
Followers 0
Batu69

New (but Old) Technique Hijacks User Sessions on All Windows Versions

6 posts in this topic

Hijacking a session via Taks Manager

 

A security researcher has detailed a way to log into any account on the same computer, even without knowing its password. The trick works on all Windows versions, doesn’t require special privileges, and the researcher can’t figure out if it’s a Windows feature or security flaw.

 

The researcher, Alexander Korznikov, calls the attack a “privilege escalation and session hijacking.” The attack can be performed using physical access to the device, but also via an RDP session on a hacked machine, escalating the attacker’s access to other (higher-privileged) accounts.

Attackers can hijack active user/RDP sessions

The general idea behind the attack is that any user, regardless of his role, can use CLI commands built into all Windows versions to escalate his access and switch to any other active user session on the PC.

 

The targeted account must be logged in on the same machine, otherwise, the attack won't work.

In normal conditions, this would imply the attacker having to know the account’s password. But not in Korznikov’s attack.

 

The attacker, from his own account, can execute some cmd.exe commands and then select the active user session he wants to log into, no password required. This attack works with local user sessions, but also with RDP sessions.

Attacks are trivial to execute

The whole attack takes about one minute to perform and doesn’t include many steps, meaning it’s easy to memorize.

Below are three videos demoing the attacks. The first shows how to take over a Windows 7 user session via the Task Manager & cmd.exe, the second only via cmd.exe, while the third shows the hijacking of a Windows Server 2012 account via service creation.

Windows 7 via Task Manager:

https://www.youtube.com/watch?v=oPk5off3yUg

Windows 7 via command line:

https://www.youtube.com/watch?v=VytjV2kPwSg

Windows 2012 R2 via service creation:

https://www.youtube.com/watch?v=OgsoIoWmhWw

 

Below is an example of how an attacker could use this attack, as envisioned by Korznikov himself.

Quote

Some bank employee have access to billing system, and it's credentials to login.
One day, he come to work, logging in to the billing system and start to work. At lunch time he will lock his workstation, and out to lunch.
Then, system administrator gets to employee's workstation, and logs in with his administrator's account.


According to the bank's policy, administrator's account should not have access to the billing system, but with couple of built-in commands in windows, this system administrator will hijack employee's desktop which he leaved locked. From now, sysadmin can perform malicious actions in billing system as billing employee account.

 

Because the attack uses local built-in Windows tools, the attacker doesn’t have to download other malware on the target’s machine, an operation that sometimes triggers alarm bells on a company’s security systems.

 

Korznikov discovery isn’t entirely new but appears to be an expanded version of an older attack. Back in 2011, Benjamin Delpy, a security researcher for the Bank of France, detailed the very same user session hijacking technique on his blog, albeit in French.

 

Taking into account his blog post's age, it is highly unlikely that Microsoft didn't find out about this issue in the past six years. It's very likely that they didn't consider it a security flaw, and deemed this was how Windows was supposed to behave.

 

Article source

 

Other source: Feature or flaw? How to hijack a Windows account in less than a minute

Quote

A Microsoft spokesperson said that the purported flaw "is not a security vulnerability as it requires local admin rights on the machine."

 

 

2 people liked / thanked this

Share this post


Link to post
Share on other sites

Posted (edited)

Even thought, according to Microsoft spokesperson, "is not a flaw" the right thing to do for Microsoft is to find a fix, since the biggest market share of users use Windows OS.

Not too long ago my bank account was hacked (just moved funds between same account) and happened the same day I requested a changed to my account. The strange thing according to an investigation was that they enter to my account with my password.

 

Looks to me like a hack similar to the one above.

Edited by vitorio
1 person liked / thanked this

Share this post


Link to post
Share on other sites

The article seems to state the flaw is in Windows 7/2012, if you use Windows 10, does the flaw exist ?

Share this post


Link to post
Share on other sites
32 minutes ago, virge said:

The article seems to state the flaw is in Windows 7/2012, if you use Windows 10, does the flaw exist ?

 

Feature or flaw? How to hijack a Windows account in less than a minute

Quote

Korznikov said he tested the bug on Windows 7, Windows 10, and Windows Server 2008 and Windows Server 2012 R2, but Beaumont said it works on every supported version of Windows.

 

Share this post


Link to post
Share on other sites

Another brilliant feature of Mark & Bryce's (SysInternals) tools. This "hack" has been around a long time. Using the  -s argument runs the process in the LOCAL SYSTEM context which as anyone should know has God powers. I've been using this tool for many years, but not for malicious purposes.

Share this post


Link to post
Share on other sites

Posted (edited)

4 hours ago, banned said:

Another brilliant feature of Mark & Bryce's (SysInternals) tools.

Russinovich knows Windows like only few ones do...:whistle:

Edited by pc71520

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

×