lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CADxeqvDjOoW7ay7m3N-m2StRG2BLA9dwF2LBzSGu=u-qZDrdgQ@mail.gmail.com>
Date: Mon, 20 Mar 2017 00:33:57 +0000
From: Kevin Beaumont <kevin.beaumont@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] TS Session Hijacking / Privilege escalation all windows
	versions

So this is a pretty big issue, which it looks like the Mimikatz guys
flagged in an all French blog post in 2011 but it flew under the radar.

I've written about it here:
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6#.o2af8u9op

Now, you might well say 'If you have SYSTEM you already own the box' - and
you're right.  But with one command you can remotely hijack Windows
sessions, including disconnected ones (e.g. RDP sessions where the user is
on holiday).  It even unlocks the workstation if locked, and works for the
physical console.

On 17 March 2017 at 15:14, Alexander Korznikov <nopernik@...il.com> wrote:

> Terminal Services / Console Session Hijacking can lead to Privilege
> Escalation.
>
> Vulnerability Details.
>
> A privileged user, which can gain command execution with NT
> AUTHORITY/SYSTEM rights can hijack any currently logged in user's session,
> without any knowledge about his credentials.
> Terminal Services session can be either in connected or disconnected state.
>
> This is high risk vulnerability which allows any local admin to hijack a
> session and get access to:
> 1. Domain admin TS session.
> 2. Any unsaved documents, that hijacked user works on.
> 3. Any other systems/applications in which hijacked user previously logged
> in (May include another Remote Desktop sessions, Network Share mappings,
> applications which require another credentials, E-mail etc.)
>
> Tested on:
> Windows 2012 R2
> Windows 2008
> Windows 10
> Windows 7
>
> Proof of Concept:
>
> http://www.korznikov.com/2017/03/0-day-or-feature-privilege-
> escalation.html
>
> @nopernik
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists