lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAENVrzR4PfndjcYpq5=siqc36SBEPmxLEhLRexsq-WXD49rzVg@mail.gmail.com> Date: Fri, 17 Mar 2017 17:14:58 +0200 From: Alexander Korznikov <nopernik@...il.com> To: fulldisclosure@...lists.org Subject: [FD] TS Session Hijacking / Privilege escalation all windows versions Terminal Services / Console Session Hijacking can lead to Privilege Escalation. Vulnerability Details. A privileged user, which can gain command execution with NT AUTHORITY/SYSTEM rights can hijack any currently logged in user's session, without any knowledge about his credentials. Terminal Services session can be either in connected or disconnected state. This is high risk vulnerability which allows any local admin to hijack a session and get access to: 1. Domain admin TS session. 2. Any unsaved documents, that hijacked user works on. 3. Any other systems/applications in which hijacked user previously logged in (May include another Remote Desktop sessions, Network Share mappings, applications which require another credentials, E-mail etc.) Tested on: Windows 2012 R2 Windows 2008 Windows 10 Windows 7 Proof of Concept: http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html @nopernik _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists