[Full-Disclosure] [AppSecInc Team SHATTER Security Advisory] Microsoft Windows Improper Token Validation
2005-01-11T00:00:00
ID SECURITYVULNS:DOC:7548 Type securityvulns Reporter Securityvulns Modified 2005-01-11T00:00:00
Description
Microsoft Windows Improper Token Validation
AppSecInc Team SHATTER Security Advisory
http://www.appsecinc.com/resources/alerts/general/06-0001.html
January 10, 2005
Credit: This vulnerability was discovered and researched by Cesar
Cerrudo of Application Security, Inc.
Risk Level: High
Summary:
A local privilege elevation vulnerability exists on the Windows
operating systems. This vulnerability allows any user to take complete
control over the system and affects Windows 2000, Windows XP, and
Windows 2003 (all service packs).
Versions Affected:
Microsoft Windows 2000, Windows XP, and Windows 2003 (all service packs).
Details:
According to MSDN:
"An access token is an object that describes the security context of a
process or thread. The information in a token includes the identity and
privileges of the user account associated with the process or thread.
When a user logs on, the system verifies the user's password by
comparing it with information stored in a security database. If the
password is authenticated, the system produces an access token. Every
process executed on behalf of this user has a copy of this access token.
The system uses an access token to identify the user when a thread
interacts with a securable object or tries to perform a system task that
requires privileges. Access tokens contain the following information:
The security identifier (SID) for the user's account
SIDs for the groups of which the user is a member
A logon SID that identifies the current logon session
A list of the privileges held by either the user or the user's groups
An owner SID
The SID for the primary group
The default DACL that the system uses when the user creates a
securable object without specifying a security descriptor
The source of the access token
Whether the token is a primary or impersonation token
An optional list of restricting SIDs
Current impersonation levels
Other statistics
Every process has a primary token that describes the security context of
the user account associated with the process. By default, the system
uses the primary token when a thread of the process interacts with a
securable object. Moreover, a thread can impersonate a client account.
Impersonation allows the thread to interact with securable objects using
the client's security context. A thread that is impersonating a client
has both a primary token and an impersonation token."
Microsoft introduced a new user right called "Impersonate a client after
authentication" in Windows 2000 SP4, Windows 2003, and Windows XP SP2.
This right allows or limits the processes ran by a user from being able
to impersonate. For instance, if a process thread running in the
security context of a user without proper rights tries to impersonate,
then it gets an Identity Token instead of an Impersonation Token. An
Identity Token only identifies the user account under which the target
process is running and can not be used for impersonation. An Identity
Token can also be retrieved by a thread in order to identify the user
account under which a process is running. Under certain circumstances
this Identity Token can be used to impersonate any process thread
running under any user account.
The attack vector identified is to impersonate a victim using Identity
Tokens to access network shares using UNC. For instance, after a thread
gets an Identity Token for the Local System account or an administrative
account, the token can be used to impersonate and access administrative
shares such as \\computername\c$ and to replace system files such as
.exe, .dll, etc... This allows an attacker to elevate privileges or to
read arbitrary files bypassing permissions. Also, network shares on
other computers can be accessed in the same way. For instance, user
JohnDoe's Identity Token can access \\remotepc\someshare\ for which the
user JohnDoe has permissions but the attacker does not. The attack
succeeds because apparently that user's credentials are cached by the
LSASS (Local Security Authority Subsystem Service) after successfully
authenticating to a network share by standard methods. Then when the
share is accessed again, the LSASS assumes an Identity Token is an
Impersonation token and uses the cached credentials to authenticate.
This vulnerability is critical for servers using Terminal Services (or
Citrix) because a user could impersonate any other user to access
network shares.
AppSecInc is the leading provider of database security solutions for
the enterprise. AppSecInc products proactively secure enterprise
applications at more than 200 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with
customers, partners and suppliers. Our security experts, combined
with our strong support team, deliver up-to-date application
safeguards that minimize risk and eliminate its impact on business.
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
{"id": "SECURITYVULNS:DOC:7548", "bulletinFamily": "software", "title": "[Full-Disclosure] [AppSecInc Team SHATTER Security Advisory] Microsoft Windows Improper Token Validation", "description": "Microsoft Windows Improper Token Validation\r\n\r\nAppSecInc Team SHATTER Security Advisory\r\nhttp://www.appsecinc.com/resources/alerts/general/06-0001.html\r\nJanuary 10, 2005\r\n\r\nCredit: This vulnerability was discovered and researched by Cesar \r\nCerrudo of Application Security, Inc.\r\n\r\nRisk Level: High\r\n\r\nSummary:\r\nA local privilege elevation vulnerability exists on the Windows \r\noperating systems. This vulnerability allows any user to take complete \r\ncontrol over the system and affects Windows 2000, Windows XP, and \r\nWindows 2003 (all service packs).\r\n\r\nVersions Affected:\r\nMicrosoft Windows 2000, Windows XP, and Windows 2003 (all service packs).\r\n\r\nDetails:\r\nAccording to MSDN:\r\n\r\n"An access token is an object that describes the security context of a \r\nprocess or thread. The information in a token includes the identity and \r\nprivileges of the user account associated with the process or thread. \r\nWhen a user logs on, the system verifies the user's password by \r\ncomparing it with information stored in a security database. If the \r\npassword is authenticated, the system produces an access token. Every \r\nprocess executed on behalf of this user has a copy of this access token.\r\n\r\nThe system uses an access token to identify the user when a thread \r\ninteracts with a securable object or tries to perform a system task that \r\nrequires privileges. Access tokens contain the following information:\r\n\r\n- The security identifier (SID) for the user's account\r\n- SIDs for the groups of which the user is a member\r\n- A logon SID that identifies the current logon session\r\n- A list of the privileges held by either the user or the user's groups\r\n- An owner SID\r\n- The SID for the primary group\r\n- The default DACL that the system uses when the user creates a \r\nsecurable object without specifying a security descriptor\r\n- The source of the access token\r\n- Whether the token is a primary or impersonation token\r\n- An optional list of restricting SIDs\r\n- Current impersonation levels\r\n- Other statistics\r\n\r\nEvery process has a primary token that describes the security context of \r\nthe user account associated with the process. By default, the system \r\nuses the primary token when a thread of the process interacts with a \r\nsecurable object. Moreover, a thread can impersonate a client account. \r\nImpersonation allows the thread to interact with securable objects using \r\nthe client's security context. A thread that is impersonating a client \r\nhas both a primary token and an impersonation token."\r\n\r\nMicrosoft introduced a new user right called "Impersonate a client after \r\nauthentication" in Windows 2000 SP4, Windows 2003, and Windows XP SP2. \r\nThis right allows or limits the processes ran by a user from being able \r\nto impersonate. For instance, if a process thread running in the \r\nsecurity context of a user without proper rights tries to impersonate, \r\nthen it gets an Identity Token instead of an Impersonation Token. An \r\nIdentity Token only identifies the user account under which the target \r\nprocess is running and can not be used for impersonation. An Identity \r\nToken can also be retrieved by a thread in order to identify the user \r\naccount under which a process is running. Under certain circumstances \r\nthis Identity Token can be used to impersonate any process thread \r\nrunning under any user account.\r\n\r\nThe attack vector identified is to impersonate a victim using Identity \r\nTokens to access network shares using UNC. For instance, after a thread \r\ngets an Identity Token for the Local System account or an administrative \r\naccount, the token can be used to impersonate and access administrative \r\nshares such as \\computername\c$ and to replace system files such as \r\n.exe, .dll, etc... This allows an attacker to elevate privileges or to \r\nread arbitrary files bypassing permissions. Also, network shares on \r\nother computers can be accessed in the same way. For instance, user \r\nJohnDoe's Identity Token can access \\remotepc\someshare\ for which the \r\nuser JohnDoe has permissions but the attacker does not. The attack \r\nsucceeds because apparently that user's credentials are cached by the \r\nLSASS (Local Security Authority Subsystem Service) after successfully \r\nauthenticating to a network share by standard methods. Then when the \r\nshare is accessed again, the LSASS assumes an Identity Token is an \r\nImpersonation token and uses the cached credentials to authenticate.\r\n\r\nThis vulnerability is critical for servers using Terminal Services (or \r\nCitrix) because a user could impersonate any other user to access \r\nnetwork shares.\r\n\r\nLinks:\r\n\r\nhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/client_impersonation.asp\r\nhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/access_tokens.asp\r\nhttp://support.microsoft.com/kb/821546/en-us\r\nhttp://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/647.asp\r\n\r\nWorkaround:\r\nNone.\r\n\r\nFix:\r\nhttp://www.microsoft.com/technet/security/bulletin/MS04-044.mspx\r\n\r\n----------------------------------------------------------------------\r\nApplication Security, Inc.\r\nwww.appsecinc.com\r\n \r\nAppSecInc is the leading provider of database security solutions for\r\nthe enterprise. AppSecInc products proactively secure enterprise\r\napplications at more than 200 organizations around the world by\r\ndiscovering, assessing, and protecting the database against rapidly\r\nchanging security threats. By securing data at its source, we enable\r\norganizations to more confidently extend their business with\r\ncustomers, partners and suppliers. Our security experts, combined\r\nwith our strong support team, deliver up-to-date application\r\nsafeguards that minimize risk and eliminate its impact on business. \r\n----------------------------------------------------------------------\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "published": "2005-01-11T00:00:00", "modified": "2005-01-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7548", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:11", "edition": 1, "viewCount": 3, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2018-08-31T11:10:11", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-7273", "CVE-2014-2595", "CVE-2008-7272"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310852681", "OPENVAS:1361412562310852932"]}, {"type": "nessus", "idList": ["OPENSUSE-2019-2064.NASL", "ORACLELINUX_ELSA-2019-0981.NASL", "SUSE_SU-2019-2253-2.NASL", "OPENSUSE-2019-2039.NASL", "SUSE_SU-2019-2211-1.NASL", "ORACLELINUX_ELSA-2019-0984.NASL", "SUSE_SU-2019-2253-1.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2039-1", "OPENSUSE-SU-2019:2078-1", "OPENSUSE-SU-2019:2064-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-0984", "ELSA-2019-0981"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1BA4CE783365F64DD92C3E9038D65EAF"]}, {"type": "exploitdb", "idList": ["EDB-ID:46849"]}, {"type": "zdt", "idList": ["1337DAY-ID-32709"]}], "modified": "2018-08-31T11:10:11", "rev": 2}, "vulnersScore": 6.4}, "affectedSoftware": [], "immutableFields": []}
{"rst": [{"lastseen": "2021-04-10T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **mariabellavirginia[.]net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-11-02T03:00:00, Last seen: 2021-04-10T03:00:00.\n IOC tags: **malware**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-02T00:00:00", "id": "RST:C92F0F7B-7548-3E6B-86B7-EB6EF5DEDB71", "href": "", "published": "2021-04-12T00:00:00", "title": "RST Threat feed. IOC: mariabellavirginia.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-04T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **146[.]83.222.25** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **3**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-04-04T03:00:00.\n IOC tags: **generic**.\nASN 11340: (First IP 146.83.209.0, Last IP 146.83.222.255).\nASN Name \"\" and Organisation \"Red Universitaria Nacional\".\nASN hosts 484 domains.\nGEO IP information: City \"Tome\", Country \"Chile\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:78777174-7548-3004-BA80-729183D1D969", "href": "", "published": "2021-04-12T00:00:00", "title": "RST Threat feed. IOC: 146.83.222.25", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-11T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **https://onedrive[.]live.com/download?cid=b7cb31db66675eb4&resid=b7cb31db66675eb4%21922&authkey=aghayyucvwey7lg** in [RST Threat Feed](https://rstcloud.net/profeed) with score **19**.\n First seen: 2021-01-05T03:00:00, Last seen: 2021-04-11T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **cloudeye**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-05T00:00:00", "id": "RST:C994C9D6-7548-3B5D-98FB-AFFF4D03662B", "href": "", "published": "2021-04-12T00:00:00", "title": "RST Threat feed. IOC: https://onedrive.live.com/download?cid=b7cb31db66675eb4&resid=b7cb31db66675eb4%21922&authkey=aghayyucvwey7lg", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-09T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://omesqiwines[.]de/amazon/2370b060b8d6a6d0f7f1f44c8d68503f/indexe.php** in [RST Threat Feed](https://rstcloud.net/profeed) with score **13**.\n First seen: 2021-03-25T03:00:00, Last seen: 2021-04-09T03:00:00.\n IOC tags: **phishing**.\nIOC could be a **False Positive** (Resource unavailable).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-25T00:00:00", "id": "RST:8EDFC92A-7548-31FD-8768-B2E6BD22BE22", "href": "", "published": "2021-04-10T00:00:00", "title": "RST Threat feed. IOC: http://omesqiwines.de/amazon/2370b060b8d6a6d0f7f1f44c8d68503f/indexe.php", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-11T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **181[.]196.0.56** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **44**.\n First seen: 2021-03-11T03:00:00, Last seen: 2021-03-11T03:00:00.\n IOC tags: **generic**.\nASN 27948: (First IP 181.196.0.0, Last IP 181.196.3.255).\nASN Name \"CORPORACION\" and Organisation \"NACIONAL DE TELECOMUNICACIONES CNT EP\".\nASN hosts 0 domains.\nGEO IP information: City \"Santa Cruz\", Country \"Ecuador\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-11T00:00:00", "id": "RST:BACD5D41-7548-3914-9BD6-8EEE86C11C51", "href": "", "published": "2021-03-11T00:00:00", "title": "RST Threat feed. IOC: 181.196.0.56", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **107[.]158.93.26** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **44**.\n First seen: 2021-03-05T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 49532: (First IP 107.158.92.0, Last IP 107.158.95.255).\nASN Name \"SERVERHUBNL\" and Organisation \"\".\nASN hosts 1147 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-05T00:00:00", "id": "RST:FBCBCDD6-7548-3720-9971-E58858EC916E", "href": "", "published": "2021-03-11T00:00:00", "title": "RST Threat feed. IOC: 107.158.93.26", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **109[.]162.75.124** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **42**.\n First seen: 2021-02-16T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **shellprobe**.\nASN 15895: (First IP 109.162.0.0, Last IP 109.162.127.255).\nASN Name \"KSNETAS\" and Organisation \"\".\nASN hosts 3891 domains.\nGEO IP information: City \"Obukhiv\", Country \"Ukraine\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-16T00:00:00", "id": "RST:B65B6C38-7548-3E7A-B168-1B8FF96A61D7", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: 109.162.75.124", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **ps06[.]bitcoindark.ca** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:8B5FB042-7548-3751-9607-AD5F387FE715", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: ps06.bitcoindark.ca", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://178[.]175.93.103:42500/mozi.m** in [RST Threat Feed](https://rstcloud.net/profeed) with score **57**.\n First seen: 2021-02-13T03:00:00, Last seen: 2021-02-21T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **mozi**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-13T00:00:00", "id": "RST:D78A8CB8-7548-3539-B478-83B47532A756", "href": "", "published": "2021-02-22T00:00:00", "title": "RST Threat feed. IOC: http://178.175.93.103:42500/mozi.m", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **olwmtravelwestcitylinksstgeorge[.]122.2o7.net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-02-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:B5E1E35B-7548-32A8-9120-F271243C1AD6", "href": "", "published": "2021-02-15T00:00:00", "title": "RST Threat feed. IOC: olwmtravelwestcitylinksstgeorge.122.2o7.net", "type": "rst", "cvss": {}}]}
