Token Kidnapping's Revenge Cesar Cerrudo Argeniss.

Slides:



Advertisements
Similar presentations
IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Advertisements

By Hiranmayi Pai Neeraj Jain
Understand Database Security Concepts
Windows Vista Security model and vulnerabilities.
Henrico Dolfing Business Segment Partners. Océ Document Technologies GmbH2 June, NET Framework Version 3.0.
Why Security Testing Is Hard Herbert H. Thompson Presenter: Alicia Young.
Adaptive Security for Wireless Sensor Networks Master Thesis – June 2006.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
27. to 28. March 2007 | Geneva, Switzerland. Fabrice Romelard ilem SA Level 200.
Building Secure Software Chapter 9 Race Conditions.
Introduction To Windows NT ® Server And Internet Information Server.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Maintaining and Updating Windows Server 2008
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Cracking Windows Access Control Andrey Kolishchak Hack.lu 2007.
Windows Security Mechanisms Al Bento - University of Baltimore.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Introduction to Active Directory December 10th, pm Daniels 407.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Introduction to Application Penetration Testing
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.
7.3. Windows Security Descriptors
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
CSAS 2009 Running Windows as a Non- Administrator or how I learned to love “User” By: Kasey Dennler.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Using Internet Explorer 7.0 to Access Cisco Unity 5.0(1) Web Interfaces Unity 5.0(1)
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Support for Vista Unity 5.0(1)
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
SQL Server Windows Vista TM & Windows Server Longhorn Brad Sarsfield Test Lead, SQL Server.
Briefing for: Hacking Windows Internals Cesar Cerrudo Argeniss.
Lieberman Software Random Password Manager & Two-Factor Authentication.
CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Impersonation in SharePoint Developers use impersonation when an application needs to.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
MA194Using WindowsNT1 Topics for the day… WindowsNT Security WindowsNT File System (NTFS) Viewing/Setting Document and Folder Permissions Access Control.
Security Vulnerabilities in A Virtual Environment
Encryption Toolkit Bethany Rababy And Keith Krehely.
Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.
Computer Security By Duncan Hall.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Windows Security -- Archana Galipalli. Agenda  Windows Security  Windows Security and CLR  Implementing Windows Security for IIS  Configuring Security.
Internet Information Server 6.0 & new management features.
1 BCS 4 th Semester. Step 1: Download SQL Server 2005 Express Edition Version Feature SQL Server 2005 Express Edition SP1 SQL Server 2005 Express Edition.
COMPUTER SECURITY Ashesi University College Benson Wachira Julateh Mulbah.
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
Maintaining and Updating Windows Server 2008 Lesson 8.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
 Abstract  Introduction  Literature Survey  Conclusion on Literature Survey  Threat model and system architecture  Proposed Work  Attack Scenarios.
Token Kidnapping's Revenge Cesar Cerrudo Argeniss.
Jean-Philippe Baud, IT-GD, CERN November 2007
Manuel Brugnoli, Elisa Heymann UAB
Introduction to SQL Server 2000 Security
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,
Defense in Depth Web Server Custom HTTP Handler Input Validation
Introduction to .net Impersonation
Local Administrator Rights
IIS v7.0 Martin Parry Developer & Platform Group Microsoft Limited
Lecture 2 - SQL Injection
NAVIGATING THE MINEFIELD
Presentation transcript:

Token Kidnapping's Revenge Cesar Cerrudo Argeniss

Who am I? Argeniss Founder and CEO I have been working on security for 8 years I have found and helped to fix hundreds of vulnerabilities in software such as MS Windows, MS SQL Server, Oracle Database Server, IBM DB2, and many more vulnerabilities found on MS products (+20 on Windows operating systems) I have researched and created novel attacks and exploitation techniques

Agenda Introduction What is impersonation and what are tokens? Windows XP and 2003 services security Windows 7, Vista and 2008 services security Token Kidnapping's revenge time Conclusions

Introduction In the past all Windows services ran as Local SYSTEM account – Compromise of a service==full system compromise Then MS introduced NETWORK SERVICE and LOCAL SERVICE accounts – Compromise of a service!=full system compromise Windows Vista, Windows 2008 and Windows 7 introduced new protections First Token Kidnapping issues were fixed, but as we are going to see Windows is still not perfect...

What is impersonation and what are tokens? Impersonation is the ability of a thread to execute using different security information than the process that owns the thread – ACL checks are done against the impersonated users – Impersonation APIs: ImpersonateNamedPipeClient(), ImpersonateLoggedOnUser(), RpcImpersonateClient() – Impersonation can only be done by processes with “Impersonate a client after authentication” (SeImpersonatePrivilege) – When a thread impersonates it has an associated impersonation token

What is impersonation and what are tokens? Access token is a Windows object that describes the security context of a process or thread – It includes the identity and privileges of the user account associated with the process or thread – They can be Primary or Impersonation tokens Primary are those that are assigned to processes Impersonation are those that can be get when impersonation occurs – Four impersonation levels: SecurityAnonymous, SecurityIdentity, SecurityImpersonation, SecurityDelegation

Windows XP and 2003 services security Services run under Network Service, Local Service, Local System and user accounts – All services can impersonate Fixed weaknesses – A process running under X account could access processes running under the same account After fixes – RPCSS and a few services that impersonate SYSTEM account are now properly protected – WMI processes are protected now

Windows Vista, 2008 and 7 services security Per service SID (new protection) – Nice feature, now service processes are really protected and its resources can be armoured Fixed weaknesses in Windows Vista and 2008 – While regular threads were properly protected, threads from thread pools were not – WMI processes running under LOCAL SERVICE and NETWORK SERVICE were not protected After fixes – Threads from thread pools are properly protected – WMI processes are protected now

Token Kidnapping's revenge time First I found that Tapi service had process handles with duplicate handle permissions Then I started to examine the Tapi service – Found weak registry permissions HKLM\SOFTWARE\Microsoft\Tracing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\T elephony – Found lineAddProvider() API, Network Service and Local Service accounts can load arbitrary dlls Tapi service runs as System in Windows 2003 – Found that Tracing functionality is used by most services, including services running as System

Token Kidnapping's revenge time Previous findings lead to other interesting findings in Windows 2003 – When WMI is invoked, DCOMLaunch service reads Network and Local Service users registry keys If values are found then HKCR keys are not used Allows WMI process protection bypass Finally I could elevate privileges in all Windows versions and bypass protections

Token Kidnapping's revenge time Windows 2003 IIS 6 exploits – Bypass WMI protection – Load arbitrary Dll Windows 2008 and Windows 7 IIS 7 exploits – Exploit weak registry permissions

Recomendations Windows XP and Windows 2003 – On IIS 6 don't run ASP.NET in full trust and don't run web apps under Network or Local Service accounts. On Windows 7, Vista and 2008 – On IIS 7 don't run ASP.NET in full trust and don't run web sites under Network Service or Local Service accounts – Don't run services under Network Service or Local Service accounts Use regular user accounts to run services

Conclusions On Windows XP and Windows 2003 – If a user can execute code under Network Service or Local Service account User can execute code as SYSTEM On Windows 7, Vista and 2008 – If a user can impersonate User can execute code as SYSTEM – New services protections are almost useless

References Token Kidnapping Impersonate a client after authentication Access tokens Process Explorer and Process Monitor Api Impersonation Functions us/library/cc246062(PROT.10).aspx

Fin Questions? Thanks Contact: cesar>at dot<com Argeniss – Information Security WE BREAK ANYTHING

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.